CVE-2017-18085
https://notcve.org/view.php?id=CVE-2017-18085
The viewdefaultdecorator resource in Atlassian Confluence Server before version 6.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the key parameter. El recurso viewdefaultdecorator en Atlassian Confluence Server, en versiones anteriores a la 6.6.1, permite que atacantes remotos inyecten HTML o JavaScript arbitrario mediante una vulnerabilidad Cross-Site Scripting (XSS) a través del parámetro key. • http://www.securityfocus.com/bid/103062 https://jira.atlassian.com/browse/CONFSERVER-54905 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2017-16856
https://notcve.org/view.php?id=CVE-2017-16856
The RSS Feed macro in Atlassian Confluence before version 6.5.2 allows remote attackers to inject arbitrary HTML or JavaScript via cross site scripting (XSS) vulnerabilities in various rss properties which were used as links without restriction on their scheme. La macro RSS Feed en Atlassian Confluence en versiones anteriores a la 6.5.2 permite que atacantes remotos inyecten código HTML o JavaScript arbitrario mediante vulnerabilidades de Cross-Site Scripting (XSS) en varias propiedades rss, que fueron empleadas como enlaces sin restricciones en su combinación. • http://www.securityfocus.com/bid/102094 https://jira.atlassian.com/browse/CONFSERVER-54395 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-4317
https://notcve.org/view.php?id=CVE-2016-4317
Atlassian Confluence Server before 5.9.11 has XSS on the viewmyprofile.action page. Atlassian Confluence Server en versiones anteriores a 5.9.11 tiene XSS en la página viewmyprofile.action. • http://www.securityfocus.com/bid/97513 https://confluence.atlassian.com/doc/confluence-5-9-11-release-notes-827123763.html https://jira.atlassian.com/browse/CONF-42713 https://jira.atlassian.com/browse/CONFSERVER-42713 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-6283 – Atlassian Confluence < 5.10.6 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2016-6283
Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.10.6 allows remote attackers to inject arbitrary web script or HTML via the newFileName parameter to pages/doeditattachment.action. Vulnerabilidad de XSS en Atlassian Confluence en versiones anteriores a 5.10.6 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro newFileName para pages/doeditattachment.action. • https://www.exploit-db.com/exploits/40989 http://packetstormsecurity.com/files/140363/Atlassian-Confluence-5.9.12-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2017/Jan/12 http://seclists.org/fulldisclosure/2017/Jan/3 http://www.securityfocus.com/bid/95288 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-8398 – Atlassian Confluence 5.2/5.8.14/5.8.15 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-8398
Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.8.17 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to rest/prototype/1/session/check. Vulnerabilidad de XSS en Atlassian Confluence en versiones anteriores a 5.8.17 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de PATH_INFO a rest/prototype/1/session/check. Atlassian Confluence suffers from cross site scripting and insecure direct object reference vulnerabilities. The cross site scripting affects versions 5.2, 5.8.14, and 5.8.15. The reference vulnerability affects versions 5.9.1, 5.8.14, and 5.8.15. • https://www.exploit-db.com/exploits/39170 http://www.securityfocus.com/archive/1/537232/100/0/threaded • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •