CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18085
https://notcve.org/view.php?id=CVE-2017-18085
02 Feb 2018 — The viewdefaultdecorator resource in Atlassian Confluence Server before version 6.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the key parameter. El recurso viewdefaultdecorator en Atlassian Confluence Server, en versiones anteriores a la 6.6.1, permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) a través del parámetro key. • http://www.securityfocus.com/bid/103062 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18086
https://notcve.org/view.php?id=CVE-2017-18086
02 Feb 2018 — Various resources in Atlassian Confluence Server before version 6.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuesURL parameter. Varios recursos en Atlassian Confluence Server, en versiones anteriores a la 6.4.2, permiten que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) en el parámetro issuesURL. • http://www.securityfocus.com/bid/103061 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16856
https://notcve.org/view.php?id=CVE-2017-16856
05 Dec 2017 — The RSS Feed macro in Atlassian Confluence before version 6.5.2 allows remote attackers to inject arbitrary HTML or JavaScript via cross site scripting (XSS) vulnerabilities in various rss properties which were used as links without restriction on their scheme. La macro RSS Feed en Atlassian Confluence en versiones anteriores a la 6.5.2 permite que atacantes remotos inyecten código HTML o JavaScript arbitrario mediante vulnerabilidades de Cross-Site Scripting (XSS) en varias propiedades rss, que fueron empl... • http://www.securityfocus.com/bid/102094 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2017-9505
https://notcve.org/view.php?id=CVE-2017-9505
15 Jun 2017 — Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments added to a page after they started watching it even if they do not have permission to view the page itself. Atlassian Confluence desde la versión 4.3.0 hasta la 6.2.1 no comprobaba si un usuario tenía permiso para visu... • http://www.securityfocus.com/bid/99086 • CWE-276: Incorrect Default Permissions •