This High severity Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability was introduced in versions 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.1, 8.8.0, and 8.9.0 of Confluence Data Center and Server. This Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability, with a CVSS Score of 7.1, allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser and force a end user to execute unwanted actions on a web application in which they're currently authenticated which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.26 * Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.14 * Confluence Data Center and Server 9.0: Upgrade to a release greater than or equal to 9.0.1 See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives). This vulnerability was reported via our Bug Bounty program.

The version of Atlassian Confluence Server running on the remote host is affected by a XSS vulnerability as referenced in the CONFSERVER-97720 advisory:

  - This Reflected XSS and CSRF (vulnerability allows an unauthenticated attacker to execute arbitrary HTML or JavaScript     code on a victims browser and force a end user to execute unwanted actions on a web application in which they're     currently authenticated which has high impact to confidentiality, low impact to integrity, no impact to availability,     and requires user interaction.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior to 7.19.26, 7.20.x prior to 8.5.14, 8.6.x prior to 8.9.5 or 9.0.x prior to 9.0.1. It is, therefore, affected by a reflected Cross-Site Scripting (XSS) and a CSRF (Cross-Site Request Forgery) vulnerability which allow an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser and force a end user to execute unwanted actions on a web application in which they're currently authenticated.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
206798	Atlassian Confluence < 7.19.26 / 7.20.x < 8.5.14 / 8.6.x < 9.0.1 (CONFSERVER-97720)	Nessus	CGI abuses	high
114420	Atlassian Confluence 9.0.x < 9.0.1 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
114419	Atlassian Confluence 8.6.x < 8.9.5 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
114418	Atlassian Confluence 7.20.x < 8.5.14 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
114417	Atlassian Confluence < 7.19.26 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high

Detections

Analytics

CVE-2024-21690

high

Tenable Plugins

high

high

high

high

high