Atlassian Confluence 2.x >= 2.7 / 3.x < 3.4.6 Multiple XSS

low Nessus Plugin ID 53575

Synopsis

The remote web application is affected by multiple cross-site scripting vulnerabilities.

Description

According to its self-reported version number, the instance of Atlassian Confluence on the remote host is a 2.x version that is 2.7 or later, or else version 3.x prior to 3.4.6. It is, therefore, affected by multiple, cross-site scripting vulnerabilities.

Errors in the validation of input data to certain macros allow unfiltered data to be returned to a user's browser. The affected macros are: Code, Attachments, Bookmarks, Global Reports, Recently Updated, Pagetree, Create Space Button and Documentation Link.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Confluence version 3.4.6 or later, or apply the appropriate vendor patch.

See Also

http://www.nessus.org/u?a1c4240b

https://jira.atlassian.com/browse/CONF-21098

https://jira.atlassian.com/browse/CONF-21099

https://jira.atlassian.com/browse/CONF-21390

https://jira.atlassian.com/browse/CONF-21391

https://jira.atlassian.com/browse/CONF-21392

https://jira.atlassian.com/browse/CONF-21393

https://jira.atlassian.com/browse/CONF-21394

https://jira.atlassian.com/browse/CONF-21508

Plugin Details

Severity: Low

ID: 53575

File Name: confluence_3_4_6.nasl

Version: 1.15

Type: remote

Published: 4/28/2011

Updated: 4/11/2022

Configuration: Enable paranoid mode, Enable thorough checks

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/a:atlassian:confluence

Required KB Items: Settings/ParanoidReport, www/confluence

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/4/2011

Vulnerability Publication Date: 9/20/2010

Reference Information

BID: 47398

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990

SECUNIA: 44194, 44204