The actions can also be invoked by simply entering the URL into the browser address bar.įor more details please refer to the related JIRA issue, also shown in the table below.Ĭhoose a user or group (user picker and group picker)Īll Confluence instances that have the Social Bookmarking plugin. Each of the actions is invoked when a user performs a specific function in Confluence, such as clicking a link or a button. For even tighter control, you could restrict access to trusted groups only.Ī hacker can inject their own JavaScript into the Confluence actions listed in the table below. anonymous access and public signup) to your wiki until you have applied the necessary patch or upgrade. If you judge it necessary, you can disable public access (e.g. You can read more about XSS attacks at cgisecurity, CERT and other places on the web. Download and install the patches for Confluence 2.6.x from our JIRA site - refer to the list of issues below.To fix the vulnerabilities described below, Atlassian recommends that you take one of the following steps: This is potentially damaging to your company's reputation. The hacker's text and script might be displayed to other people viewing the Confluence page.The hacker might take advantage of the flaw to steal other users' session cookies or other credentials, by sending the credentials back to the hacker's own web server.Each vulnerability potentially allows a malicious user (hacker) to embed their own JavaScript into a Confluence page. The flaws are all XSS (cross-site scripting) vulnerabilities in various Confluence actions. We have identified and fixed a number of security flaws which may affect Confluence instances in a public environment. The scale allows us to rank a vulnerability as critical, high, moderate or low. XSS Vulnerabilities in Various Confluence Actions SeverityĪtlassian rates these vulnerabilities as high, according to the scale published in Confluence Security.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |