multimedia macro allows execution of arbitrary scripts

2012-05-18T20:44:02
ID ATLASSIAN:CONFSERVER-25541
Type atlassian
Reporter heavydawson
Modified 2018-10-11T08:37:33

Description

The {multimedia} macro in confluence embeds a swf without the 'allowScriptAccess' attribute set to 'none'. This allows the embedded (user submitted) swf to execute arbitrary javascript on the page, constituting an XSS vulnerability. The {multimedia} tag is bundled in with the base product and not an optional macro, so steps may need to be taken by Atlassian to fix this issue if there isn't a configuration setting anywhere.

This issue was reported by Workday's Security Operations team member Michael Carlson