Confluence Docs 3.3 : Confluence Security Advisory 2010-06-02
This page last changed on Jun 07, 2010 by alui.
This security advisory announces a vulnerability in the Confluence Mail Page plugin that may expose a Confluence site to XSS (cross-site scripting) attacks, if it is enabled (note, the Confluence Mail Page plugin is disabled by default). If you do not have this plugin enabled, your site will not be affected. However, we recommend that you still read the advisory below. In this advisory: XSS Vulnerability in Confluence Mail Page PluginSeverityAtlassian rates this vulnerability as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low. Risk AssessmentWe have identified and fixed a security vulnerability which may affect Confluence instances in a public environment. This flaw is a cross-site scripting (XSS) vulnerability that could occur if you have the Confluence Mail Page plugin enabled. The Confluence Mail Page plugin is bundled with Confluence, although it is disabled by default.
You can read more about XSS attacks at cgisecurity, CERT and other places on the web. VulnerabilityAn attacker can execute their own JavaScript when a user enters a custom URL into the browser address bar (e.g. the user clicks a crafted link in an email). The rogue JavaScript will be executed when the user invokes the URL. For more details, please refer to CONF-19802. Risk MitigationWe recommend installing the updated Confluence Mail Page plugin into your Confluence installation to fix this vulnerabilities. Please see the 'Fix' section below. Alternatively, if you are not in a position to undertake this immediately and you judge it necessary, you can disable the Confluence Mail Page plugin (note, the plugin is disabled by default). You may also wish to disable public access (e.g. anonymous access and public sign-on) to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups. FixThese issues have been fixed in the latest version (v1.10) of the Confluence Mail Page plugin, which you can download from the Atlassian Plugin Exchange. Installation instructions are available on the plugin documentation page. Please note, version 1.10 of the Confluence Mail Page plugin will only work with Confluence 3.2. You will need to upgrade to Confluence 3.2 before installing the updated plugin. |
![]() |
Document generated by Confluence on Jul 09, 2010 01:08 |