Vulnerability CVE-2017-18085


Published: 2018-02-02

Description:
The viewdefaultdecorator resource in Atlassian Confluence Server before version 6.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the key parameter.

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Vendor: Atlassian
Product: Confluence 
Version:
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0
5.9.9
5.9.8
5.9.7
5.9.6
5.9.5
5.9.4
5.9.3
5.9.2
5.9.12
5.9.11
5.9.10
5.9.1
5.8.16
5.5.0
5.10.5
5.10.3
5.10.2
5.10.1
5.10.0
4.1.9
4.1.7
4.1.6
4.1.5
4.1.4
4.1.3
4.1.2
4.1
4.0.5
4.0.4
4.0.3
4.0
3.5.9
3.5.7
3.5.6
3.5.5
3.5.4
3.5.3
3.5.2
3.5.13
3.5.11
3.5.1
3.5
3.4.9
3.4.8
3.4.7
3.4.6
3.4.5
3.4.3
3.4.2
3.4.1
3.4
3.3.3
3.3.1
3.3
3.2.1
3.2
3.1.2
3.1.1
3.1
3.0.2
3.0.1
3.0
2.9.3
2.9.2
2.9.1
2.9
2.8.3
2.8.2
2.8.1
2.8
2.7.4
2.7.3
2.7.2
2.7.1
2.7
2.6.3
2.6.2
2.6.1
2.6
2.10.4
2.10.3
2.10.2
2.10.1
2.10
1.4.4
1.4.3
1.4.2
1.4.1
1.4
1.3.6
1.3.5
1.3.4
1.3.2
See more versions on NVD

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
https://jira.atlassian.com/browse/CONFSERVER-54905

Related CVE
CVE-2017-18086
Various resources in Atlassian Confluence Server before version 6.4.2 allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the issuesURL parameter.
CVE-2017-18084
The usermacros resource in Atlassian Confluence Server before version 6.3.4 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the description of a macro.
CVE-2017-18083
The editinword resource in Atlassian Confluence Server before version 6.4.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the contents of an uploaded file.
CVE-2017-18082
The plan configure branches resource in Atlassian Bamboo before version 6.2.3 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the name of a branch.
CVE-2017-18081
The signupUser resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability through the value of the csrf token cookie.
CVE-2017-18080
The saveConfigureSecurity resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify security settings via a Cross-site request forgery (CSRF) vulnerability.
CVE-2017-18042
The update user administration resource in Atlassian Bamboo before version 6.3.1 allows remote attackers to modify user data including passwords via a Cross-site request forgery (CSRF) vulnerability.
CVE-2017-18041
The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo before version 6.2.0 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the name of a release.

Copyright 2018, cxsecurity.com

 

Back to Top