CVE-2016-6283 – Atlassian Confluence < 5.10.6 - Persistent Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2016-6283
Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.10.6 allows remote attackers to inject arbitrary web script or HTML via the newFileName parameter to pages/doeditattachment.action. Vulnerabilidad de XSS en Atlassian Confluence en versiones anteriores a 5.10.6 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro newFileName para pages/doeditattachment.action. • https://www.exploit-db.com/exploits/40989 http://packetstormsecurity.com/files/140363/Atlassian-Confluence-5.9.12-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2017/Jan/12 http://seclists.org/fulldisclosure/2017/Jan/3 http://www.securityfocus.com/bid/95288 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-8398 – Atlassian Confluence 5.2/5.8.14/5.8.15 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-8398
Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.8.17 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to rest/prototype/1/session/check. Vulnerabilidad de XSS en Atlassian Confluence en versiones anteriores a 5.8.17 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de PATH_INFO a rest/prototype/1/session/check. Atlassian Confluence suffers from cross site scripting and insecure direct object reference vulnerabilities. The cross site scripting affects versions 5.2, 5.8.14, and 5.8.15. The reference vulnerability affects versions 5.9.1, 5.8.14, and 5.8.15. • https://www.exploit-db.com/exploits/39170 http://www.securityfocus.com/archive/1/537232/100/0/threaded • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-8399 – Atlassian Confluence 5.2/5.8.14/5.8.15 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-8399
Atlassian Confluence before 5.8.17 allows remote authenticated users to read configuration files via the decoratorName parameter to (1) spaces/viewdefaultdecorator.action or (2) admin/viewdefaultdecorator.action. Atlassian Confluence en versiones anteriores a 5.8.17 permite a usuarios remotos autenticados leer archivos de configuración a través del parámetro decoratorName en (1) spaces/viewdefaultdecorator.action o (2) admin/viewdefaultdecorator.action. Atlassian Confluence suffers from cross site scripting and insecure direct object reference vulnerabilities. The cross site scripting affects versions 5.2, 5.8.14, and 5.8.15. The reference vulnerability affects versions 5.9.1, 5.8.14, and 5.8.15. • https://www.exploit-db.com/exploits/39170 http://www.securityfocus.com/archive/1/537232/100/0/threaded • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •