CVE-2017-18083
https://notcve.org/view.php?id=CVE-2017-18083
The editinword resource in Atlassian Confluence Server before version 6.4.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the contents of an uploaded file. El recurso editinword en Atlassian Confluence Server, en versiones anteriores a la 6.4.0, permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) a través del contenido de un archivo subido. • https://jira.atlassian.com/browse/CONFSERVER-54903 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-18085
https://notcve.org/view.php?id=CVE-2017-18085
The viewdefaultdecorator resource in Atlassian Confluence Server before version 6.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the key parameter. El recurso viewdefaultdecorator en Atlassian Confluence Server, en versiones anteriores a la 6.6.1, permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) a través del parámetro key. • http://www.securityfocus.com/bid/103062 https://jira.atlassian.com/browse/CONFSERVER-54905 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-16856
https://notcve.org/view.php?id=CVE-2017-16856
The RSS Feed macro in Atlassian Confluence before version 6.5.2 allows remote attackers to inject arbitrary HTML or JavaScript via cross site scripting (XSS) vulnerabilities in various rss properties which were used as links without restriction on their scheme. La macro RSS Feed en Atlassian Confluence en versiones anteriores a la 6.5.2 permite que atacantes remotos inyecten código HTML o JavaScript arbitrario mediante vulnerabilidades de Cross-Site Scripting (XSS) en varias propiedades rss, que fueron empleadas como enlaces sin restricciones en su combinación. • http://www.securityfocus.com/bid/102094 https://jira.atlassian.com/browse/CONFSERVER-54395 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-9505
https://notcve.org/view.php?id=CVE-2017-9505
Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments added to a page after they started watching it even if they do not have permission to view the page itself. Atlassian Confluence desde la versión 4.3.0 hasta la 6.2.1 no comprobaba si un usuario tenía permiso para visualizar una página mientras se creaba una notificación workbox sobre nuevos comentarios. Un atacante que pueda iniciar sesión en Confluence podría recibir notificaciones workbox, que contienen los comentarios, para los comentarios añadidos a una página una vez que han empezado a verla aunque no tengan permiso para visualizar la propia página. • http://www.securityfocus.com/bid/99086 https://jira.atlassian.com/browse/CONFSERVER-52560 https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170613-0_Atlassian_Confluence_Access_Restriction_Bypass_v10.txt • CWE-276: Incorrect Default Permissions •