• Type: Bug
• Resolution: Fixed
• Priority: Low
• Fix Version/s: 6.5.2
• Affects Version/s: 6.4.1
• Component/s: Macros - Other Macros
• Labels:

  • CVE-2017-16856
  • advisory
  • advisory-released
  • cvss-medium
  • security
  • xss

[CONFSERVER-54395] XSS through various RSS properties in the RSS macro - CVE-2017-16856

Collapse comment: David Black added a comment - 13/Dec/2017 10:26 PM

David Black added a comment - 13/Dec/2017 10:26 PM

Sure. You can disable the macro.

Expand comment: David Black added a comment - 13/Dec/2017 10:26 PM

David Black added a comment - 13/Dec/2017 10:26 PM Sure. You can disable the macro.

Collapse comment: Pavel Boev added a comment - 13/Dec/2017 9:25 AM

Pavel Boev added a comment - 13/Dec/2017 9:25 AM

Is there a temporary workaround that we can apply until we plan the upgrade?

Like disabling this macro?

Expand comment: Pavel Boev added a comment - 13/Dec/2017 9:25 AM

Pavel Boev added a comment - 13/Dec/2017 9:25 AM Is there a temporary workaround that we can apply until we plan the upgrade? Like disabling this macro?

Collapse comment: David Black added a comment - 13/Dec/2017 2:44 AM

David Black added a comment - 13/Dec/2017 2:44 AM

Not at this point in time.

Expand comment: David Black added a comment - 13/Dec/2017 2:44 AM

David Black added a comment - 13/Dec/2017 2:44 AM Not at this point in time.

Collapse comment: Deleted Account (Inactive) added a comment - 12/Dec/2017 8:47 AM

Deleted Account (Inactive) added a comment - 12/Dec/2017 8:47 AM

Can you publish information how to reproduce this issue?

Expand comment: Deleted Account (Inactive) added a comment - 12/Dec/2017 8:47 AM

Deleted Account (Inactive) added a comment - 12/Dec/2017 8:47 AM Can you publish information how to reproduce this issue?

Collapse comment: David Black added a comment - 12/Dec/2017 12:54 AM

David Black added a comment - 12/Dec/2017 12:54 AM

Hi Henri,
That page discloses critical security issue advisories. This is not a critical security issue so it will not be added to that page.

Expand comment: David Black added a comment - 12/Dec/2017 12:54 AM

David Black added a comment - 12/Dec/2017 12:54 AM Hi Henri, That page discloses critical security issue advisories. This is not a critical security issue so it will not be added to that page.

Collapse comment: Deleted Account (Inactive) added a comment - 08/Dec/2017 12:58 PM

Deleted Account (Inactive) added a comment - 08/Dec/2017 12:58 PM

Is there a regular security advisory about this case? At least I can't see this listed in https://confluence.atlassian.com/doc/confluence-security-overview-and-advisories-134526.html

Expand comment: Deleted Account (Inactive) added a comment - 08/Dec/2017 12:58 PM

Deleted Account (Inactive) added a comment - 08/Dec/2017 12:58 PM Is there a regular security advisory about this case? At least I can't see this listed in https://confluence.atlassian.com/doc/confluence-security-overview-and-advisories-134526.html

Collapse comment: David Black added a comment - 08/Dec/2017 4:15 AM

David Black added a comment - 08/Dec/2017 4:15 AM

Confluence 6.4.1 was the version this issue was reproduced in but earlier versions of Confluence, such as 6.3 are also affected.

Expand comment: David Black added a comment - 08/Dec/2017 4:15 AM

David Black added a comment - 08/Dec/2017 4:15 AM Confluence 6.4.1 was the version this issue was reproduced in but earlier versions of Confluence, such as 6.3 are also affected.

Collapse comment: Ireneusz Lepel added a comment - 07/Dec/2017 10:03 AM

Ireneusz Lepel added a comment - 07/Dec/2017 10:03 AM

" in Atlassian Confluence before version 6.5.2" yet the issues Affected Version points only for Confluence 6.4. Is Confluence 6.3 affected?

Expand comment: Ireneusz Lepel added a comment - 07/Dec/2017 10:03 AM

Ireneusz Lepel added a comment - 07/Dec/2017 10:03 AM " in Atlassian Confluence before version 6.5.2" yet the issues Affected Version points only for Confluence 6.4. Is Confluence 6.3 affected?

Collapse comment: Deleted Account (Inactive) added a comment - 06/Dec/2017 9:45 PM

Deleted Account (Inactive) added a comment - 06/Dec/2017 9:45 PM

Are 5.10 versions affected?

Expand comment: Deleted Account (Inactive) added a comment - 06/Dec/2017 9:45 PM

Deleted Account (Inactive) added a comment - 06/Dec/2017 9:45 PM Are 5.10 versions affected?

Collapse comment: Security Metrics Bot added a comment - 05/Dec/2017 4:13 AM

Security Metrics Bot added a comment - 05/Dec/2017 4:13 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.
CVSS v3 score: 5.4 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low
User Interaction	Required

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	Low
Integrity	Low
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Expand comment: Security Metrics Bot added a comment - 05/Dec/2017 4:13 AM

Security Metrics Bot added a comment - 05/Dec/2017 4:13 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 5.4 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity Low Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N