[%22,] Stored XSS in the Livesearch macro - CVE-2020-36290 - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 7.4.5, 7.6.3, 7.7.4
Affects Version/s: 7.3.3, 7.4.1
Component/s: Macros - Search
Labels:

Fixed in Long Term Support Release/s:

Download 7.4
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

The Livesearch macro in Confluence Server and Data Center before version 7.4.5, from version 7.5.0 before 7.6.3, and from version 7.7.0 before version 7.7.4 allows remote attackers with permission to edit a page or blog to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the page excerpt functionality.

Affected versions:

version < 7.4.5
7.5.0 ≤ version < 7.6.3
7.7.0 ≤ version < 7.7.0

Fixed versions:

7.4.5
7.6.3
7.7.4

is detailed by: VULN-168619 Loading...

mentioned in: Page Failed to load

David Black added a comment - 25/Jul/2022 2:41 AM

This is an independent assessment and you should evaluate its applicability to your own IT environment.

CVSS v3 score: 5.4 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low
User Interaction	Required

Scope Metric

Scope	Changed

Impact Metrics

Confidentiality	Low
Integrity	Low
Availability	None

https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

David Black added a comment - 25/Jul/2022 2:41 AM This is an independent assessment and you should evaluate its applicability to your own IT environment. CVSS v3 score: 5.4 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required Low User Interaction Required Scope Metric Scope Changed Impact Metrics Confidentiality Low Integrity Low Availability None https://asecurityteam.bitbucket.io/cvss_v3/#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tam Tran added a comment - 22/Sep/2020 5:59 AM

A fix for this issue is available to Server and Data Center customers in Confluence 7.7.4
Upgrade now or check out the Release Notes to see what other issues are resolved.

Tam Tran added a comment - 22/Sep/2020 5:59 AM A fix for this issue is available to Server and Data Center customers in Confluence 7.7.4 Upgrade now or check out the Release Notes to see what other issues are resolved.

Assignee:: Oliver Shen

Reporter:: AB

Affected customers:: 0 This affects my team

Watchers:: 2 Start watching this issue

Created:: 28/Jul/2020 1:04 AM

Updated:: 26/Jul/2022 3:29 AM

Resolved:: 18/Aug/2020 3:25 AM

Details

Description

Affected versions:

Attachments

Issue Links

Forms

Activity

[CONFSERVER-60118] Stored XSS in the Livesearch macro - CVE-2020-36290

Collapse comment: David Black added a comment - 25/Jul/2022 2:41 AM

Expand comment: David Black added a comment - 25/Jul/2022 2:41 AM

Collapse comment: Tam Tran added a comment - 22/Sep/2020 5:59 AM

Expand comment: Tam Tran added a comment - 22/Sep/2020 5:59 AM

People

Dates