I've found several XSS in the urls and parameters listed below. The criticality of the issues is moderated since only browsers that perform content sniffing would be affected (e.g. IE7). This limitation comes from the response's Content Type header being set as text/plain. The classical payload <script>alert(1)</script> can be used in all of them as a POC.

XSS locations:
+ https://confluence/rest/tinymce/1/embed/placeholder/image
parameter: contentId

+ https://confluence/rest/tinymce/1/drafts
parameter: draftId and pageId

+ https://confluence/rest/tinymce/1/macro/preview
parameter: name and body

+ https://confluence/rest/tinymce/1/macro/placeholder
parameter: name and contentId

If there's more information required, please let me know and I'll do my best to provide greater details.

Regards,
Adrián