CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-18085
https://notcve.org/view.php?id=CVE-2017-18085
The viewdefaultdecorator resource in Atlassian Confluence Server before version 6.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the key parameter. El recurso viewdefaultdecorator en Atlassian Confluence Server, en versiones anteriores a la 6.6.1, permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) a través del parámetro key. • http://www.securityfocus.com/bid/103062 https://jira.atlassian.com/browse/CONFSERVER-54905 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16856
https://notcve.org/view.php?id=CVE-2017-16856
The RSS Feed macro in Atlassian Confluence before version 6.5.2 allows remote attackers to inject arbitrary HTML or JavaScript via cross site scripting (XSS) vulnerabilities in various rss properties which were used as links without restriction on their scheme. La macro RSS Feed en Atlassian Confluence en versiones anteriores a la 6.5.2 permite que atacantes remotos inyecten código HTML o JavaScript arbitrario mediante vulnerabilidades de Cross-Site Scripting (XSS) en varias propiedades rss, que fueron empleadas como enlaces sin restricciones en su combinación. • http://www.securityfocus.com/bid/102094 https://jira.atlassian.com/browse/CONFSERVER-54395 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2017-9505
https://notcve.org/view.php?id=CVE-2017-9505
Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments added to a page after they started watching it even if they do not have permission to view the page itself. Atlassian Confluence desde la versión 4.3.0 hasta la 6.2.1 no comprobaba si un usuario tenía permiso para visualizar una página mientras se creaba una notificación workbox sobre nuevos comentarios. Un atacante que pueda iniciar sesión en Confluence podría recibir notificaciones workbox, que contienen los comentarios, para los comentarios añadidos a una página una vez que han empezado a verla aunque no tengan permiso para visualizar la propia página. • http://www.securityfocus.com/bid/99086 https://jira.atlassian.com/browse/CONFSERVER-52560 https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170613-0_Atlassian_Confluence_Access_Restriction_Bypass_v10.txt • CWE-276: Incorrect Default Permissions •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2016-4317
https://notcve.org/view.php?id=CVE-2016-4317
Atlassian Confluence Server before 5.9.11 has XSS on the viewmyprofile.action page. Atlassian Confluence Server en versiones anteriores a 5.9.11 tiene XSS en la página viewmyprofile.action. • http://www.securityfocus.com/bid/97513 https://confluence.atlassian.com/doc/confluence-5-9-11-release-notes-827123763.html https://jira.atlassian.com/browse/CONF-42713 https://jira.atlassian.com/browse/CONFSERVER-42713 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2016-6283 – Atlassian Confluence < 5.10.6 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2016-6283
Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.10.6 allows remote attackers to inject arbitrary web script or HTML via the newFileName parameter to pages/doeditattachment.action. Vulnerabilidad de XSS en Atlassian Confluence en versiones anteriores a 5.10.6 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro newFileName para pages/doeditattachment.action. • https://www.exploit-db.com/exploits/40989 http://packetstormsecurity.com/files/140363/Atlassian-Confluence-5.9.12-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2017/Jan/12 http://seclists.org/fulldisclosure/2017/Jan/3 http://www.securityfocus.com/bid/95288 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •