Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-21392

XSS vulnerability in Recently Updated macro

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Highest Highest
    • 3.4.5
    • 3.0, 3.1, 3.2, 3.3, 3.4
    • None

      We have identified and fixed a cross-site scripting (XSS) vulnerability in the Confluence

      {recently-updated}

      macro.

      XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

      This issue is reported in our security advisory on this page:
      http://confluence.atlassian.com/x/HgdrDQ

        1. confluence-advanced-macros-1.12.3.jar
          196 kB
        2. confluence-advanced-macros-1.9.2.jar
          196 kB

            [CONFSERVER-21392] XSS vulnerability in Recently Updated macro

            VitalyA added a comment -

            Please note that we have released multiple advisories about Confluence 3.2 or later, the earliest advisory - http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2010-05-04. We recommend that you review them and decide whether you can upgrade to a more recent version of the product or apply external security controls if you cannot. Most of the vulnerabilities are not critical and often present less risk when used in a corporate environment with no access from the Internet.

            We usually provide patches only for critical severity (= really bad) vulnerabilities as a stop-gap measure until you can upgrade, and you should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative - we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend to upgrade to the most recent version regularly.

            VitalyA added a comment - Please note that we have released multiple advisories about Confluence 3.2 or later, the earliest advisory - http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2010-05-04 . We recommend that you review them and decide whether you can upgrade to a more recent version of the product or apply external security controls if you cannot. Most of the vulnerabilities are not critical and often present less risk when used in a corporate environment with no access from the Internet. We usually provide patches only for critical severity (= really bad) vulnerabilities as a stop-gap measure until you can upgrade, and you should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative - we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend to upgrade to the most recent version regularly.

            Dave added a comment -

            Will we get a separate fix for 3.2 or the current fix can be used?

            Dave added a comment - Will we get a separate fix for 3.2 or the current fix can be used?

            Andreas Hartmann added a comment -

            I have tested 1.9.2 with Confluence 3.0.2. It does NOT work (ClassNotFoundException in recently-updated macro).
            Could you please provide us a plugin version which works with 3.0.2?
            We can't update immediately our productive environment to a later version of Confluence.

            Andreas Hartmann added a comment - I have tested 1.9.2 with Confluence 3.0.2. It does NOT work (ClassNotFoundException in recently-updated macro). Could you please provide us a plugin version which works with 3.0.2? We can't update immediately our productive environment to a later version of Confluence.

            HengHwa Loi [Atlassian] added a comment -

            Tested 1.9.2 on 3.1.2, it works!!

            HengHwa Loi [Atlassian] added a comment - Tested 1.9.2 on 3.1.2, it works!!

            Stefan Saasen (Inactive) added a comment -

            I have attached version 1.12.3 of the Advanced Macros plugin which fixes this issue, and has been tested to work with Confluence 3.4.x.

            Stefan Saasen (Inactive) added a comment - I have attached version 1.12.3 of the Advanced Macros plugin which fixes this issue, and has been tested to work with Confluence 3.4.x.

            Matthew Erickson added a comment - - edited

            I have attached version 1.9.2 of the Advanced Macros plugin which fixes this issue, and has been tested to work with Confluence 3.3.x.

            Matthew Erickson added a comment - - edited I have attached version 1.9.2 of the Advanced Macros plugin which fixes this issue, and has been tested to work with Confluence 3.3.x.

              Unassigned Unassigned
              smaddox SarahA
              Affected customers:
              0 This affects my team
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: