A skipfish scan of confluence found that flushcache.action is vulnerable to 'open redirect' as the returlUrl seems to send up in the Location HTTP header on a 302 redirect response. Note the token parameter in the

here is an example attack using the flaw
http://localhost:8080/confluence/admin/flushcache.action?cache=com.atlassian.confluence.locale.requestLang&redirectUrl=XXXX&atl_token=xxx23