[CONFSERVER-21819] XSS vulnerability in Table of Contents (toc) macro

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 3.4.9
Affects Version/s: None
Component/s: None
Labels:
- advisory
- cvss-high
- editor
- security

Bug Fix Policy:
View Atlassian Server bug fix policy

We have identified and fixed a cross-site scripting (XSS) vulnerability in the Confluence {toc} macro. All versions from 2.9 to 3.4.8 are affected.

XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

cgisecurity.com: http://www.cgisecurity.com/articles/xss-faq.shtml
The Web Application Security Consortium: http://projects.webappsec.org/Cross-Site+Scripting

This issue is reported in our security advisory on this page:
https://confluence.atlassian.com/x/MgCzDQ

The page also includes detailed patch instructions.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

toc-plugin-2.4.12.jar
150 kB
15/Feb/2011 2:04 AM

Form Name

Katherine Yabut made changes - 13/Nov/2018 4:41 AM

Workflow

Original: JAC Bug Workflow v3 [ 2886151 ]

New: CONFSERVER Bug Workflow v4 [ 2979527 ]

Owen made changes - 11/Oct/2018 8:51 AM

Workflow	Original: JAC Bug Workflow v2 [ 2793027 ]	New: JAC Bug Workflow v3 [ 2886151 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Owen made changes - 29/Aug/2018 11:17 PM

Workflow

Original: JAC Bug Workflow [ 2726435 ]

New: JAC Bug Workflow v2 [ 2793027 ]

Owen made changes - 02/Jul/2018 7:03 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2390544 ]

New: JAC Bug Workflow [ 2726435 ]

Katherine Yabut made changes - 22/Jun/2017 6:50 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 2269687 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2390544 ]

Katherine Yabut made changes - 31/May/2017 5:32 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2220217 ]

New: Confluence Workflow - Public Facing - Restricted v5 [ 2269687 ]

Katherine Yabut made changes - 31/May/2017 4:56 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2157609 ]

New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2220217 ]

Katherine Yabut made changes - 31/May/2017 1:56 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 1913345 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2157609 ]

Katherine Yabut made changes - 03/Apr/2017 3:54 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v3 [ 1721080 ]

New: Confluence Workflow - Public Facing - Restricted v5 [ 1913345 ]

Katherine Yabut made changes - 28/Feb/2017 6:32 AM

Workflow

Original: CONF Bug Subtask WF (TEMP) [ 1669440 ]

New: Confluence Workflow - Public Facing - Restricted v3 [ 1721080 ]

Assignee:: VitalyA

Reporter:: SarahA

Affected customers:: 0 This affects my team

Watchers:: 4 Start watching this issue

Created:: 14/Feb/2011 10:01 PM

Updated:: 11/Oct/2018 8:51 AM

Resolved:: 14/Feb/2011 10:01 PM

Details

Description

Attachments

Attachments

Forms

Activity

People

Dates