Confluence Docs 2.10 : Confluence Security Advisory 2007-11-19
This page last changed on Nov 18, 2007 by smaddox.
In this advisory: Error formatting macro: toc: java.lang.NullPointerException
Atlassian recommends that you upgrade to Confluence 2.6.1 to fix the vulnerabilities described below. DWR debug mode enabledVulnerabilityDebug mode was enabled by default on Direct Web Remoting (DWR). This made it easy for a potential attacker to find information about available AJAX request handlers in Confluence. FixThis issue has been fixed in Confluence 2.6.1. If you do not wish to upgrade at this time, you can fix the problem by editing your <confluence install>/confluence/WEB-INF/web.xml file. For more information, please see CONF-9718. XSS vulnerability in exception error pageVulnerabilityThe attributes and parameters were not escaped on the Confluence exception error page. This is a potential vulnerability to a cross-site scripting attack. FixThis issue has been fixed in Confluence 2.6.1. For more information, please see CONF-9704 and CONF-9560. XSS vulnerability in the URL destination for the print iconVulnerabilityThe print icon on the HTTP 404 error page uses the path of the requested URL, which potentially contains malicious JavaScript. The 404 page did not correctly escape it. This is a potential vulnerability to a cross-site scripting attack. FixThis issue has been fixed in Confluence 2.6.1. A patch is supplied for customers with Confluence version 2.6 who do not wish to upgrade at this time. For more information, please see CONF-9456. XSS vulnerability in wiki markup for imagesVulnerabilityWhen using image URLs in wiki markup, quotes were not correctly escaped. This is a potential vulnerability to a cross-site scripting attack. FixThis issue has been fixed in Confluence 2.6.1. For customers with Confluence 2.6 who do not with to upgrade at this time, the new atlassian-renderer JAR should resolve this issue. For more information, please see CONF-9209. |
![]() |
Document generated by Confluence on Dec 03, 2008 15:04 |