Confluence Security Advisory 2006-01-20
A flaw has been found in Confluence by which attackers to inject malicious HTML code into Confluence. Atlassian STRONGLY recommends that all Confluence customers apply the fix described below immediately, or upgrade to Confluence 2.1.3.
This flaw affects all versions of Confluence between 1.4-DR releases and 2.1.2.
This issue was initally reported by Ricardo Sueiras and a fix was quickly documented by Dan Hardiker at the Confluence Community Security Advisory 2006-01-19 page. Our thanks to them for bringing this to our attention.
There is an issue in JIRA at CONF-5233.
This vulnerability is fixed in Confluence 2.1.3 and later. Customers who do not wish to migrate to 2.1.3 can fix this bug using the procedure below:
Steps to fix:
- Copy macros.vm to your confluence/template/includes folder
- Restart Confluence
Note: If you are using version 1.4.4, please download and copy this file instead. You will need to rename it back to
If you are not using any of the above versions, you will need to replace wrap calls to display full names of users in $generalUtil.htmlEncode(). Alternatively, send us an email. We do however encourage you to use the latest stable point release regardless of the version you are using.