Lucene search

K
atlassianHeavydawsonATLASSIAN:CONF-25541
HistoryMay 18, 2012 - 8:44 p.m.

multimedia macro allows execution of arbitrary scripts

2012-05-1820:44:02
heavydawson
jira.atlassian.com
8

The {multimedia} macro in confluence embeds a swf without the ‘allowScriptAccess’ attribute set to ‘none’. This allows the embedded (user submitted) swf to execute arbitrary javascript on the page, constituting an XSS vulnerability. The {multimedia} tag is bundled in with the base product and not an optional macro, so steps may need to be taken by Atlassian to fix this issue if there isn’t a configuration setting anywhere.

This issue was reported by Workday’s Security Operations team member Michael Carlson