Confluence Community Security Advisory 2006-01-19
This security advisory is not endorsed by Atlassian - this is a public service advisory from a member of the confluence community. Please remember to backup any modified files, and use these instructions at your own risk. While this information is based on Confluence v2.1.2, it may have uses with older affected versions of Confluence.
The official security advisory is located at Confluence Security Advisory 2006-01-20
There is a possibility of XSS exploitation of the Full Name user profile field when displayed.
The problem was unescaped outputting of the fullname - wrapping the output in $generalUtil.htmlEncode() resolve it. The vast majority of the problem can be resolved by changing
/confluence/template/includes/macros.vm in the distribution on the following lines:
I have attached the modified macros.vm file here which you can copy into your distribution.
There are other places which are still affected which Atlassian have been made aware of, a complete resolution should be provided by Atlassian in their own offical advisory.
I hope this helps some of you!