XMLWordPrintable

      From an external report:

      Confluence recently has been tested and, as a result, we were able to verify the existence of at least one persistent XSS vulnerability. This vulnerability is present in the Edit Attachment feature — specifically in the newFileName field — accessible through the following URL:
      https://confluence/pages/editattachment.action
      As a means to prove the concept proposed by this issue, we added the value "<script>alert(1)</script>file" (without quotes) in the newFileName field. Such as described in the image named xss.png (attached).
      After the aforementioned insertion, the script executes successfully whenever a user visits the vulnerable page, which in turn, is available at:
      https://confluence/dosearchsite.action?queryString="
      As can be seen in the images named xss1.png and xss2.png (attached).

        1. xss.png
          xss.png
          33 kB
        2. xss1.png
          xss1.png
          66 kB
        3. xss2.png
          xss2.png
          91 kB
        4. confluence-search-2.3.13-SNAPSHOT.jar
          157 kB

              fxu Feng Xu (Inactive)
              c0a03ec99fd7 Jodson Santos
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: