XSS vulnerability in the "import word document" page action through the page name

Type atlassian
Reporter dblack
Modified 2017-02-28T05:46:20


On the "import word document" page action the name of the confluence page is a persistent xss vector (as it is not encoded).

How to Reproduce:

  1. Create a confluence page with the following title {noformat} XSS"/><script>alert('XSS')</script> {noformat}

  2. Navigate to the created page

  3. Under the tools menu select "Import Word Document"
  4. Upload a word document
  5. Click "Next"
  6. See an alert prompt containing the text 'XSS' within it.