Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Atlassian Confluence < 7.4.2 / 7.5.x < 7.5.2 XSS (CONFSERVER-60102)

🗓️ 31 Jul 2020 00:00:00Reported by TenableType 
nessus
 nessus🔗 www.tenable.com👁 55 Views

Atlassian Confluence < 7.4.2 / 7.5.x < 7.5.2 XSS vulnerabilit

Related
Refs
Code
ReporterTitlePublishedViews
Family
Atlassian		XSS in user macro parameters - CVE-2020-14175
24 Jul 202003:39
atlassian
CNVD		Atlassian Confluence Server and Data Center Cross-Site Scripting Vulnerability
28 Jul 202000:00
cnvd
CVE		CVE-2020-14175
24 Jul 202007:05
cve
Cvelist		CVE-2020-14175
24 Jul 202007:05
cvelist
EUVD		EUVD-2020-6332
7 Oct 202500:30
euvd
NVD		CVE-2020-14175
24 Jul 202007:15
nvd
OSV		CVE-2020-14175
24 Jul 202007:15
osv
Prion		Cross site scripting
24 Jul 202007:15
prion
Tenable Nessus		Atlassian Confluence < 7.4.2 Cross-Site Scripting
5 Jul 202100:00
nessus
Tenable Nessus		Atlassian Confluence 7.5.x < 7.5.2 Cross-Site Scripting
5 Jul 202100:00
nessus
Rows per page
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(139205);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/05/14");

  script_cve_id("CVE-2020-14175");
  script_xref(name:"IAVA", value:"2020-A-0341-S");

  script_name(english:"Atlassian Confluence < 7.4.2 / 7.5.x < 7.5.2 XSS (CONFSERVER-60102)");

  script_set_attribute(attribute:"synopsis", value:
"A web application running on the remote host is affected by a cross-site scripting (XSS) vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the Atlassian Confluence application running on the remote host is prior
to 7.4.2 or 7.5.x prior to 7.5.2. It is, therefore, affected by a cross-site scripting (XSS) vulnerability in user macro
parameters. An authenticated, remote attacker can exploit this to inject HTML and JavaScript to execute arbitrary script
code in a user's browser session.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://jira.atlassian.com/browse/CONFSERVER-60102");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Atlassian Confluence version 7.4.2, 7.5.2, 7.6.0, or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-14175");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/07/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/07/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/07/31");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:atlassian:confluence");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses : XSS");

  script_copyright(english:"This script is Copyright (C) 2020-2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("confluence_detect.nasl");
  script_require_keys("installed_sw/confluence");
  script_require_ports("Services/www", 8080, 8090);

  exit(0);
}

include('vcf.inc');
include('http.inc');

app_name = 'confluence';

port = get_http_port(default:80);

app_info = vcf::get_app_info(app:app_name, port:port, webapp:TRUE);
vcf::check_granularity(app_info:app_info, sig_segments:3);

constraints = [
  { 'fixed_version': '7.4.2' },
  { 'min_version': '7.5.0',  'fixed_version': '7.5.2', 'fixed_display': '7.5.2 / 7.6.0' }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_NOTE, flags:{xss:TRUE});

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 May 2025 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 23.5
CVSS 3.15.4
EPSS0.0028
atlassian confluenceversion numbercross-site scriptinguser macro parametershtml injectionjavascript injectionarbitrary script codenessus scanner
55