Inserted image filenames are not escaped properly as thumbnails

When you insert an image as a thumbnail into a wiki page, the generated HTML does not properly escape the filename...

Inserted image filenames are not escaped properly as thumbnails

When you insert an image as a thumbnail into a wiki page, the generated HTML does not properly escape the filename...

Logging event information is not HTML encoded in 500 error page

The Confluence 500 error page lists logging events generated during the request the produced the 500 error page. The strings rendered from this event are not HTML encoded, leaving open a chance for an attacker to exploit this via XSS. I haven't yet investigated to see whether this is actually...

Logging event information is not HTML encoded in 500 error page

The Confluence 500 error page lists logging events generated during the request the produced the 500 error page. The strings rendered from this event are not HTML encoded, leaving open a chance for an attacker to exploit this via XSS. I haven't yet investigated to see whether this is actually...

Logging event information is not HTML encoded in 500 error page

The Confluence 500 error page lists logging events generated during the request the produced the 500 error page. The strings rendered from this event are not HTML encoded, leaving open a chance for an attacker to exploit this via XSS. I haven't yet investigated to see whether this is actually...

Confluence administrators (who are not necessarily sys admins) can configure whitelist

A user who has the "Confluence Administrator" permission, but not necessarily the "System Administrator" permission, can configure the new URL whitelist for the HTML-include and RSS macros. Is this good enough, from a security point of view?...

Confluence administrators (who are not necessarily sys admins) can configure whitelist

A user who has the "Confluence Administrator" permission, but not necessarily the "System Administrator" permission, can configure the new URL whitelist for the HTML-include and RSS macros. Is this good enough, from a security point of view?...

Confluence administrators (who are not necessarily sys admins) can configure whitelist

A user who has the "Confluence Administrator" permission, but not necessarily the "System Administrator" permission, can configure the new URL whitelist for the HTML-include and RSS macros. Is this good enough, from a security point of view?...

XSS bug in wiki markup link rendering

The following wikimarkup creates links with an onclick event. noformat test link|mailto:[email protected]" onclick="alert'hi. I am a fun onclick event' test link|mailto:[email protected]" onclick="alert'hi. I am a fun onclick event' noformat This is due to the following code in...

XSS bug in wiki markup link rendering

The following wikimarkup creates links with an onclick event. noformat test link|mailto:[email protected]" onclick="alert'hi. I am a fun onclick event' test link|mailto:[email protected]" onclick="alert'hi. I am a fun onclick event' noformat This is due to the following code in...

XSS bug in wiki markup link rendering

The following wikimarkup creates links with an onclick event. noformat test link|mailto:[email protected]" onclick="alert'hi. I am a fun onclick event' test link|mailto:[email protected]" onclick="alert'hi. I am a fun onclick event' noformat This is due to the following code in...

Restrict anonymous users from viewing user profiles.

Even if I start Confluence with -Dconfluence.disable.peopledirectory.anonymous=true, it is still possible to browse individual users by visiting a URL like https://wikiBaseUrl/display/accountName. This is a major security problem for us because it exposes: 1. The user's name 2. The user's ID 3. T...

Restrict anonymous users from viewing user profiles.

Even if I start Confluence with -Dconfluence.disable.peopledirectory.anonymous=true, it is still possible to browse individual users by visiting a URL like https://wikiBaseUrl/display/accountName. This is a major security problem for us because it exposes: 1. The user's name 2. The user's ID 3. T...

Restrict anonymous users from viewing user profiles.

Even if I start Confluence with -Dconfluence.disable.peopledirectory.anonymous=true, it is still possible to browse individual users by visiting a URL like https://wikiBaseUrl/display/accountName. This is a major security problem for us because it exposes: 1. The user's name 2. The user's ID 3. T...

Restrict access to page history to certain users (or groups)

A customer requested for a new feature to restrict access to page history only to a particular group or certain users...

Restrict access to page history to certain users (or groups)

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-13247. panel A customer requested for a new feature to restrict access to page history only to a particular group or certain use...

Restrict access to page history to certain users (or groups)

panel:bgColor=e7f4fa NOTE: This suggestion is for Confluence Cloud. Using Confluence Server? See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-13247. panel A customer requested for a new feature to restrict access to page history only to a particular group or certain...

Make XWork ParametersInterceptor safe from parameter injection attacks

The XWork ParametersInterceptor is a security nightmare as it gives user input submitted form parameters unfettered access to getter/setter methods on action objects. In addition, the interceptor has been shown in the past to be vulnerable to Unicode attacks. Rather than fight a constant and ofte...

It's possible to execute a workflow action without being logged in.

To reproduce, open Jira in two browser windows. In the first, navigate to an issue with an available workflow action. In the second, log out. In the first, perform one of the workflow actions. You'll see a page asking you to log back in, but the action has still been performed. To see this, in th...

It's possible to execute a workflow action without being logged in.

To reproduce, open Jira in two browser windows. In the first, navigate to an issue with an available workflow action. In the second, log out. In the first, perform one of the workflow actions. You'll see a page asking you to log back in, but the action has still been performed. To see this, in th...

It's possible to execute a workflow action without being logged in.

To reproduce, open Jira in two browser windows. In the first, navigate to an issue with an available workflow action. In the second, log out. In the first, perform one of the workflow actions. You'll see a page asking you to log back in, but the action has still been performed. To see this, in th...

XSS in pagetree plugin

The pagetree plugin is vulnerable for XSS injecting the code in the treeId field. Example below:...

XSS in pagetree plugin

The pagetree plugin is vulnerable for XSS injecting the code in the treeId field. Example below:...

XSS in pagetree plugin

The pagetree plugin is vulnerable for XSS injecting the code in the treeId field. Example below:...

XSS in RSS feed creation

URL http://localhost:8080/dashboard/doconfigurerssfeed.action The RSS feed creation process is vulnerable to XSS attacks. It is possible to inject javascript code into the page by changing the types field to: types="alertdocument.cookie complete example from the testenvironment:...

XSS in RSS feed creation

URL http://localhost:8080/dashboard/doconfigurerssfeed.action The RSS feed creation process is vulnerable to XSS attacks. It is possible to inject javascript code into the page by changing the types field to: types="alertdocument.cookie complete example from the testenvironment:...

XSS in RSS feed creation

URL http://localhost:8080/dashboard/doconfigurerssfeed.action The RSS feed creation process is vulnerable to XSS attacks. It is possible to inject javascript code into the page by changing the types field to: types="alertdocument.cookie complete example from the testenvironment:...

XSS in bookmarks plugin

The bookmarking code under the url http://localhost:8080/plugins/socialbookmarking/updatebookmark.action is vulnerable to XSS attacks using the spaceKey parameter: submitting the following code will execute javascript: spaceKey=%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3E%22%3E IMPORTANT:...

XSS in bookmarks plugin

The bookmarking code under the url http://localhost:8080/plugins/socialbookmarking/updatebookmark.action is vulnerable to XSS attacks using the spaceKey parameter: submitting the following code will execute javascript: spaceKey=%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3E%22%3E IMPORTANT:...

XSS in bookmarks plugin

The bookmarking code under the url http://localhost:8080/plugins/socialbookmarking/updatebookmark.action is vulnerable to XSS attacks using the spaceKey parameter: submitting the following code will execute javascript: spaceKey=%22%3E%3Cscript%3Ealertdocument.cookie%3C/script%3E%22%3E IMPORTANT:...

Stored XSS in wiki macro search

Creating a page/comment etc with the following wiki-markup macro will render javascript on the page for anybody visiting this page search:query=alertdocument.cookie IMPORTANT: please confirm receipt of this notification! Depending on the response, we may report the vulnerability to publicly...

Stored XSS in wiki macro search

Creating a page/comment etc with the following wiki-markup macro will render javascript on the page for anybody visiting this page search:query=alertdocument.cookie IMPORTANT: please confirm receipt of this notification! Depending on the response, we may report the vulnerability to publicly...

Stored XSS in wiki macro search

Creating a page/comment etc with the following wiki-markup macro will render javascript on the page for anybody visiting this page search:query=alertdocument.cookie IMPORTANT: please confirm receipt of this notification! Depending on the response, we may report the vulnerability to publicly...

Privilege escalation: User is able to add a page to his watchlist without having the permission

Szenario: create user1 and user2 user1 has access to space1 user2 has access to space2 user1 can add a page to his watchlist by manipulating using a proxy like webscarab the postrequest to http://localhost:8080/dwr/exec/PageNotification.startWatching.dwr and replacing the id contained in paramete...

Privilege escalation: User is able to add a page to his watchlist without having the permission

Szenario: create user1 and user2 user1 has access to space1 user2 has access to space2 user1 can add a page to his watchlist by manipulating using a proxy like webscarab the postrequest to http://localhost:8080/dwr/exec/PageNotification.startWatching.dwr and replacing the id contained in paramete...

Privilege escalation: User is able to add a page to his watchlist without having the permission

Szenario: create user1 and user2 user1 has access to space1 user2 has access to space2 user1 can add a page to his watchlist by manipulating using a proxy like webscarab the postrequest to http://localhost:8080/dwr/exec/PageNotification.startWatching.dwr and replacing the id contained in paramete...

default config values restored

This should be for 2.9.1 - this version was not yet available under "affects versions" when filing this bug. After updating from 2.9 to 2.9.1, most of my settings were overwritten by their default values. - public signup got enabled - the language changed back to english instead of german - e-mai...

default config values restored

This should be for 2.9.1 - this version was not yet available under "affects versions" when filing this bug. After updating from 2.9 to 2.9.1, most of my settings were overwritten by their default values. - public signup got enabled - the language changed back to english instead of german - e-mai...

default config values restored

This should be for 2.9.1 - this version was not yet available under "affects versions" when filing this bug. After updating from 2.9 to 2.9.1, most of my settings were overwritten by their default values. - public signup got enabled - the language changed back to english instead of german - e-mai...

XSS in site search action

http://confluence.atlassian.com/dosearchsite.action?where=confall&queryString=%3Cscript%3Ealert'foo';%3C/script%3E queryString needs to be escaped. This problem is fixed if they turn on Anti-XSS mode. We still need to fix this as anti-xss is not on by default...

XSS in site search action

http://confluence.atlassian.com/dosearchsite.action?where=confall&queryString=%3Cscript%3Ealert'foo';%3C/script%3E queryString needs to be escaped. This problem is fixed if they turn on Anti-XSS mode. We still need to fix this as anti-xss is not on by default...

XSS in site search action

http://confluence.atlassian.com/dosearchsite.action?where=confall&queryString=%3Cscript%3Ealert'foo';%3C/script%3E queryString needs to be escaped. This problem is fixed if they turn on Anti-XSS mode. We still need to fix this as anti-xss is not on by default...

Pages that inherit page restrictions are not respecting those restrictions after upgrade to Confluence 2.9

Tested and verified in both customer enviornment and in test enviornment. In the event that you have a parent page restriction and a child page that inherits that restriction, upon upgrade, 2.9 will only respect the explicit parent permission in terms of security trims and actual access but not...

Pages that inherit page restrictions are not respecting those restrictions after upgrade to Confluence 2.9

Tested and verified in both customer enviornment and in test enviornment. In the event that you have a parent page restriction and a child page that inherits that restriction, upon upgrade, 2.9 will only respect the explicit parent permission in terms of security trims and actual access but not...

Pages that inherit page restrictions are not respecting those restrictions after upgrade to Confluence 2.9

Tested and verified in both customer enviornment and in test enviornment. In the event that you have a parent page restriction and a child page that inherits that restriction, upon upgrade, 2.9 will only respect the explicit parent permission in terms of security trims and actual access but not...

Hidden pages' content can be viewed without permission using diffpages.action

If the id of a page is known by a user, that user can view the content of the page without having permissions to the space it is in. They need only construct the right URL. EG: Two spaces A and B Page with id 1 is in Space A Page with id 2 is in Space B User cannot see Space A User can see Space ...

Hidden pages' content can be viewed without permission using diffpages.action

If the id of a page is known by a user, that user can view the content of the page without having permissions to the space it is in. They need only construct the right URL. EG: Two spaces A and B Page with id 1 is in Space A Page with id 2 is in Space B User cannot see Space A User can see Space ...

Hidden pages' content can be viewed without permission using diffpages.action

If the id of a page is known by a user, that user can view the content of the page without having permissions to the space it is in. They need only construct the right URL. EG: Two spaces A and B Page with id 1 is in Space A Page with id 2 is in Space B User cannot see Space A User can see Space ...

Hidden pages' content can be viewed without permission using copypage.action

If the id of a page is known by a user, that user can view the content of the page without having permissions to the space it is in. They need only construct the right URL. EG: Two spaces A and B Page with id 1 is in Space A User cannot see Space A User can see Space B The following URL will allo...

Hidden pages' content can be viewed without permission using copypage.action

If the id of a page is known by a user, that user can view the content of the page without having permissions to the space it is in. They need only construct the right URL. EG: Two spaces A and B Page with id 1 is in Space A User cannot see Space A User can see Space B The following URL will allo...