I've found several XSS in the urls and parameters listed below. The criticality of the issues is moderated since only browsers that perform content sniffing would be affected (e.g. IE7). This limitation comes from the response's Content Type header being set as text/plain. The classical payload <script>alert(1)</script> can be used in all of them as a POC.
XSS locations: + https://confluence/rest/tinymce/1/embed/placeholder/image parameter: contentId
https://confluence/rest/tinymce/1/drafts parameter: draftId and pageId
https://confluence/rest/tinymce/1/macro/preview parameter: name and body
https://confluence/rest/tinymce/1/macro/placeholder parameter: name and contentId
If there's more information required, please let me know and I'll do my best to provide greater details.