Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 3.4.8
Affects Version/s: 2.7, 2.8, 2.9, 3.0, 3.1, 3.2, 3.3, 3.4
Component/s: None
Labels:
- advisory
- affects-server
- cvss-high
- editor
- plugins
- security

Bug Fix Policy:
View Atlassian Server bug fix policy

We have identified and fixed a cross-site scripting (XSS) vulnerability in the action links of Confluence's attachments lists. All versions from 2.7 to 3.4.7 are affected.

XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting

This issue is reported in our security advisory on this page:
https://confluence.atlassian.com/x/MgCzDQ

The page also includes detailed patch instructions.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

confluence-attachments-plugin-2.20.jar
04/Feb/2011 2:36 AM
505 kB
Stefan Saasen

Assignee:: VitalyA

Reporter:: Giles Gaskell [Atlassian]

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 03/Feb/2011 11:20 PM

Updated:: 11/Oct/2018 9:01 AM

Resolved:: 02/Mar/2011 12:17 AM

Details

Description

Attachments

Attachments

Forms

Activity

People

Dates