XSS vulnerability in the "import word document" page action through the page name

XMLWordPrintable

    • 6.5

      On the "import word document" page action the name of the confluence page is a persistent xss vector (as it is not encoded).

      How to Reproduce:

      1. Create a confluence page with the following title

      XSS"/><script>alert('XSS')</script>

      2. Navigate to the created page
      3. Under the tools menu select "Import Word Document"
      4. Upload a word document
      5. Click "Next"
      6. See an alert prompt containing the text 'XSS' within it.

              Assignee:
              Chii (Inactive)
              Reporter:
              David Black
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: