[CONFSERVER-60118] Stored XSS in the Livesearch macro - CVE-2020-36290 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 7.4.5, 7.6.3, 7.7.4
Affects Version/s: 7.3.3, 7.4.1
Component/s: Macros - Search
Labels:

Fixed in Long Term Support Release/s:

Download 7.4
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

The Livesearch macro in Confluence Server and Data Center before version 7.4.5, from version 7.5.0 before 7.6.3, and from version 7.7.0 before version 7.7.4 allows remote attackers with permission to edit a page or blog to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the page excerpt functionality.

Affected versions:

version < 7.4.5
7.5.0 ≤ version < 7.6.3
7.7.0 ≤ version < 7.7.0

Fixed versions:

7.4.5
7.6.3
7.7.4

is detailed by: VULN-168619 Failed to load

mentioned in: Page Failed to load

David Black made changes - 26/Jul/2022 3:29 AM

Labels

Original: CVE-2020-36290 advisory advisory-to-release cvss-medium exclude-from-security-metrics-page security sxss xss

New: CVE-2020-36290 advisory advisory-released cvss-medium dont-import exclude-from-security-metrics-page security sxss xss

David Black made changes - 26/Jul/2022 3:28 AM

Security

Original: Reporter and Atlassian Staff [ 10751 ]

David Black made changes - 25/Jul/2022 2:56 AM

Labels

Original: CVE-2020-36290 advisory advisory-released cvss-medium exclude-from-security-metrics-page security sxss xss

New: CVE-2020-36290 advisory advisory-to-release cvss-medium exclude-from-security-metrics-page security sxss xss

David Black made changes - 25/Jul/2022 2:56 AM

Security

New: Reporter and Atlassian Staff [ 10751 ]

David Black made changes - 25/Jul/2022 2:56 AM

Labels

Original: CVE-2020-36290 advisory advisory-to-release cvss-medium exclude-from-security-metrics-page security sxss xss

New: CVE-2020-36290 advisory advisory-released cvss-medium exclude-from-security-metrics-page security sxss xss

David Black made changes - 25/Jul/2022 2:55 AM

Security

Original: Reporter and Atlassian Staff [ 10751 ]

David Black made changes - 25/Jul/2022 2:50 AM

Labels

Original: advisory advisory-to-release cvss-medium exclude-from-security-metrics-page security sxss xss

New: CVE-2020-36290 advisory advisory-to-release cvss-medium exclude-from-security-metrics-page security sxss xss

David Black made changes - 25/Jul/2022 2:50 AM

Summary

Original: CVE-2020-36290: Stored XSS in the Livesearch macro

New: Stored XSS in the Livesearch macro - CVE-2020-36290

David Black made changes - 25/Jul/2022 2:49 AM

Description

Original: The Livesearch macro in Confluence Server and Data Center before version 7.4.5, from version 7.5.0 before 7.6.3, and from version 7.7.0 before version 7.7.4 allows remote attackers with permission to edit a page or blog to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the page excerpt functionality.

Affected versions:
*

New: The Livesearch macro in Confluence Server and Data Center before version 7.4.5, from version 7.5.0 before 7.6.3, and from version 7.7.0 before version 7.7.4 allows remote attackers with permission to edit a page or blog to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the page excerpt functionality.

h3. Affected versions:
* version < 7.4.5
* 7.5.0 ≤ version < 7.6.3
* 7.7.0 ≤ version < 7.7.0

*Fixed versions:*
* 7.4.5
* 7.6.3
* 7.7.4

David Black made changes - 25/Jul/2022 2:47 AM

Description

Assignee:: Oliver Shen

Reporter:: AB

Affected customers:: 0 This affects my team

Watchers:: 2 Start watching this issue

Created:: 28/Jul/2020 1:04 AM

Updated:: 26/Jul/2022 3:29 AM

Resolved:: 18/Aug/2020 3:25 AM

Details

Description

Affected versions:

Attachments

Issue Links

Forms

Activity

[CONFSERVER-60118] Stored XSS in the Livesearch macro - CVE-2020-36290

People

Dates