Several XSS flaws in the /rest/tinymce/1

Type atlassian
Reporter adrian.bravo
Modified 2017-02-17T04:35:55


I've found several XSS in the urls and parameters listed below. The criticality of the issues is moderated since only browsers that perform content sniffing would be affected (e.g. IE7). This limitation comes from the response's Content Type header being set as text/plain. The classical payload <script>alert(1)</script> can be used in all of them as a POC.

XSS locations: + https://confluence/rest/tinymce/1/embed/placeholder/image parameter: contentId

  • https://confluence/rest/tinymce/1/drafts parameter: draftId and pageId

  • https://confluence/rest/tinymce/1/macro/preview parameter: name and body

  • https://confluence/rest/tinymce/1/macro/placeholder parameter: name and contentId

If there's more information required, please let me know and I'll do my best to provide greater details.

Regards, Adrián