A third party scan found that createrssfeed action is vulnerable to content spoofing, in specific text injection. In this case the content spoofing may be used to perform a phishing attack on users.

How to reproduce:
1. go to https://$confluence/$contextPath/wiki/spaces/createrssfeed.action?types=blogpost&spaces=ds&sort=modified&title=Please%20login%20at%20https://attacker.com&maxResults=15&publicFeed=false&os_authType=basic&rssType=atom
2. observe that the title parameter is found in the response.

Note: different browsers render the rss feed xml differently and while chrome just shows the raw xml, Internet Explorer and firefox both render the xml returned as a 'semi-html page'.