This security advisory is not endorsed by Atlassian - this is a public service advisory from a member of the confluence community. Please remember to backup any modified files, and use these instructions at your own risk. While this information is based on Confluence v2.1.2, it may have uses with older affected versions of Confluence.

The official security advisory is located at Confluence Security Advisory 2006-01-20

Problem

There is a possibility of XSS exploitation of the Full Name user profile field when displayed.

Solution

The problem was unescaped outputting of the fullname - wrapping the output in $generalUtil.htmlEncode() resolve it. The vast majority of the problem can be resolved by changing /confluence/template/includes/macros.vm in the distribution on the following lines:

180
186
200
340
893

I have attached the modified macros.vm file here which you can copy into your distribution.

Scope

There are other places which are still affected which Atlassian have been made aware of, a complete resolution should be provided by Atlassian in their own offical advisory.

I hope this helps some of you!

Confluence Support

Knowledge base

Products

Jira Software

Jira Service Management

Jira Work Management

Confluence

Bitbucket

Resources

Documentation

Community

Suggestions and bugs

Marketplace

Billing and licensing

Confluence Community Security Advisory 2006-01-19

Confluence Security Overview and Advisories

On this page

Still need help?

Problem

Solution

Scope

Page

Viewport

Confluence

Versions

Confluence Community Security Advisory 2006-01-19

Confluence Security Overview and Advisories

On this page

Related content

Still need help?

Problem

Solution

Scope

Related content