XSS in User Macros, Macro Title and Icon URL

h2. Summary System Administrator is allowed to input JS/CSS in Macro Title and Icon URL in Macro Editor. The script input in the fields can be executed when user open "Macro" selection window. h2. How to reproduce Go to "Edit User Macro" as Confluence Administrator. !Screen Shot 2018-06-14 at...

XSS in User Macros, Macro Title and Icon URL

h2. Summary System Administrator is allowed to input JS/CSS in Macro Title and Icon URL in Macro Editor. The script input in the fields can be executed when user open "Macro" selection window. h2. How to reproduce Go to "Edit User Macro" as Confluence Administrator. !Screen Shot 2018-06-14 at...

Admin menu items displayed to non-admins when accessing "Global Templates" page

When accessing the "Global Templates" menu as a non-admin, the navigation controls for the administration panel are displayed. The links cannot be used without entering new credentials, but it would be more consistent to hide the links from non-admins, just as we hide "System Administrator" links...

Confluence administrators (who are not necessarily sys admins) can configure whitelist

A user who has the "Confluence Administrator" permission, but not necessarily the "System Administrator" permission, can configure the new URL whitelist for the HTML-include and RSS macros. Is this good enough, from a security point of view?...