multimedia macro allows execution of arbitrary scripts

The {multimedia} macro in confluence embeds a swf without the ‘allowScriptAccess’ attribute set to ‘none’. This allows the embedded (user submitted) swf to execute arbitrary javascript on the page, constituting an XSS vulnerability. The {multimedia} tag is bundled in with the base product and not an optional macro, so steps may need to be taken by Atlassian to fix this issue if there isn’t a configuration setting anywhere.

This issue was reported by Workday’s Security Operations team member Michael Carlson