Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 3.4.8
Affects Version/s: 2.7, 2.8, 2.9, 3.0, 3.1, 3.2, 3.3, 3.4
Component/s: None
Labels:
- advisory
- affects-server
- cvss-high
- editor
- plugins
- security

Bug Fix Policy:
View Atlassian Server bug fix policy

Description

We have identified and fixed a cross-site scripting (XSS) vulnerability in the action links of Confluence's attachments lists. All versions from 2.7 to 3.4.7 are affected.

XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting

This issue is reported in our security advisory on this page:
https://confluence.atlassian.com/x/MgCzDQ

The page also includes detailed patch instructions.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

confluence-attachments-plugin-2.20.jar
505 kB
04/Feb/2011 2:36 AM

Activity

People

Assignee:: VitalyA

Reporter:: Giles Gaskell [Atlassian]

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 03/Feb/2011 11:20 PM

Updated:: 11/Oct/2018 9:01 AM

Resolved:: 02/Mar/2011 12:17 AM