Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-21394

XSS vulnerability in Create Space Button macro

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Highest Highest
    • 3.4.5
    • 2.7, 2.8, 2.9, 3.0, 3.1, 3.2, 3.3, 3.4
    • None

      We have identified and fixed a cross-site scripting (XSS) vulnerability in the Confluence

      {create-space-button}

      macro.

      XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

      This issue is reported in our security advisory on this page:
      http://confluence.atlassian.com/x/HgdrDQ

        1. confluence-dashboard-macros-1.13.1.jar
          43 kB
          Matthew Erickson
        2. confluence-dashboard-macros-3.4.4.jar
          47 kB
          Stefan Saasen

            [CONFSERVER-21394] XSS vulnerability in Create Space Button macro

            VitalyA added a comment -

            Please note that we have released multiple advisories about Confluence 3.2 or later, the earliest advisory - http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2010-05-04. We recommend that you review them and decide whether you can upgrade to a more recent version of the product or apply external security controls if you cannot. Most of the vulnerabilities are not critical and often present less risk when used in a corporate environment with no access from the Internet.

            We usually provide patches only for critical severity (= really bad) vulnerabilities as a stop-gap measure until you can upgrade, and you should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative - we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend to upgrade to the most recent version regularly.

            VitalyA added a comment - Please note that we have released multiple advisories about Confluence 3.2 or later, the earliest advisory - http://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2010-05-04 . We recommend that you review them and decide whether you can upgrade to a more recent version of the product or apply external security controls if you cannot. Most of the vulnerabilities are not critical and often present less risk when used in a corporate environment with no access from the Internet. We usually provide patches only for critical severity (= really bad) vulnerabilities as a stop-gap measure until you can upgrade, and you should not expect that you can continue patching your system instead of upgrading. Our patches are often non-cumulative - we do not recommend that you apply multiple patches from different advisories on top of each other, but strongly recommend to upgrade to the most recent version regularly.

            Jeff Kirby added a comment -

            I'm confused because the plugin exchange site lists 1.14 as the latest version available for the Dashboard Macros Plugin. Does 1.13.1 supercede version 1.14?
            https://studio.plugins.atlassian.com/wiki/display/DASHMACROS/Confluence+Dashboard+Macros

            Jeff Kirby added a comment - I'm confused because the plugin exchange site lists 1.14 as the latest version available for the Dashboard Macros Plugin. Does 1.13.1 supercede version 1.14? https://studio.plugins.atlassian.com/wiki/display/DASHMACROS/Confluence+Dashboard+Macros

            Dave added a comment -

            Will we get a separate fix for 3.2 or the current fix can be used?

            Dave added a comment - Will we get a separate fix for 3.2 or the current fix can be used?

            HengHwa Loi [Atlassian] added a comment - - edited

            Tested 3.4.4 on Confluence 3.1.2, the following error occurs in the Dashboard:

            Error formatting macro: spaces: java.lang.NoSuchMethodError: com.atlassian.confluence.labels.LabelManager.getTeamLabelsForSpaces(Ljava/util/Collection;)Ljava/util/List;

            Plus the Dashboard does not rendered properly.

            HengHwa Loi [Atlassian] added a comment - - edited Tested 3.4.4 on Confluence 3.1.2, the following error occurs in the Dashboard: Error formatting macro: spaces: java.lang.NoSuchMethodError: com.atlassian.confluence.labels.LabelManager.getTeamLabelsForSpaces(Ljava/util/Collection;)Ljava/util/List; Plus the Dashboard does not rendered properly.

            Stefan Saasen (Inactive) added a comment -

            I have attached version 3.4.4 of the Confluence Dashboard Macros plugin which contains the fix for this issue, and has been tested to work with Confluence 3.4.x.

            Stefan Saasen (Inactive) added a comment - I have attached version 3.4.4 of the Confluence Dashboard Macros plugin which contains the fix for this issue, and has been tested to work with Confluence 3.4.x.

            Matthew Erickson added a comment - - edited

            I have attached version 1.13.1 of the Confluence Dashboard Macros plugin which contains the fix for this issue, and has been tested to work with Confluence 3.3.x.

            Matthew Erickson added a comment - - edited I have attached version 1.13.1 of the Confluence Dashboard Macros plugin which contains the fix for this issue, and has been tested to work with Confluence 3.3.x.

              Unassigned Unassigned
              smaddox SarahA
              Affected customers:
              0 This affects my team
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: