The

{multimedia} macro in confluence embeds a swf without the 'allowScriptAccess' attribute set to 'none'. This allows the embedded (user submitted) swf to execute arbitrary javascript on the page, constituting an XSS vulnerability. The {multimedia}

tag is bundled in with the base product and not an optional macro, so steps may need to be taken by Atlassian to fix this issue if there isn't a configuration setting anywhere.

This issue was reported by Workday's Security Operations team member Michael Carlson