XSS vulnerability in space key, particularly with decorators off

Type atlassian
Reporter don.willis@atlassian.com
Modified 2017-02-17T05:21:40


As discovered while looking at CONF-20667, Confluence stores the space key unencoded in a content tag. Considerable functionality relies on this content tag. Eg Doc Theme breaks without it. Themes choice breaks without it.

To exploit it, create a user with html in the login name, then create a personal space as that user. Finally, use a decorator=none request param when viewing a page to see the content tags.

There are actually a few places that the space key isn't encoded, so removing the ability to pass "decorator=none" is probably not a complete fix.