Medium
CVE-2016-4317
Atlassian Confluence Server before 5.9.11 has XSS on the viewmyprofile.action page.
Tag: Confluence
All CVEs associated with "Confluence". Page 2/2 • 131 CVEs.
Subscribe CVEs: RSS for “Confluence” · RSS (High+Critical only)
About “Confluence”
A curated feed of “Confluence”-related CVEs appears below. We currently track 131 CVEs for this tag (all time). In the last 365 days, 27 were published. Average CVSS is 7.2 (all time; 7.2 over 365d), and 55% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-862 - Missing Authorization, CWE-754 - Improper Check for Unusual or Exceptional Conditions, CWE-116 - Improper Encoding or Escaping of Output.
In our taxonomy this topic maps to a LOW impact class. Atlassian apps hold code and project data. Patch, enforce SSO or MFA, restrict anonymous access, and audit marketplace apps and macros. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2017-04-10
2017-01-23
High
CVE-2016-6668
The Atlassian Hipchat Integration Plugin for Bitbucket Server 6.26.0 before 6.27.5, 6.28.0 before 7.3.7, and 7.4.0 before 7.8.17; Confluence HipChat plugin 6.26.0 before 7.8.17; and HipChat for JIRA…
2017-01-18
Medium
CVE-2016-6283
Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.10.6 allows remote attackers to inject arbitrary web script or HTML via the newFileName parameter to pages/doeditattachment.a…
2016-04-11
Medium
CVE-2015-8399
Atlassian Confluence before 5.8.17 allows remote authenticated users to read configuration files via the decoratorName parameter to (1) spaces/viewdefaultdecorator.action or (2) admin/viewdefaultdeco…
Medium
CVE-2015-8398
Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.8.17 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to rest/prototype/1/session/check.
2014-11-06
Medium
CVE-2014-8658
Cross-site scripting (XSS) vulnerability in RefinedWiki Original Theme 3.x before 3.5.13 and 4.x before 4.0.12 for Confluence allows remote authenticated users with permissions to create or edit cont…
2014-05-13
Medium
CVE-2012-6342
Cross-site request forgery (CSRF) vulnerability in logout.action in Atlassian Confluence 3.4.6 allows remote attackers to hijack the authentication of administrators for requests that logout the user…
2012-05-22
Medium
CVE-2012-2928
The Gliffy plugin before 3.7.1 for Atlassian JIRA, and before 4.2 for Atlassian Confluence, does not properly restrict the capabilities of third-party XML parsers, which allows remote attackers to re…
Critical
CVE-2012-2926
Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible before 2.5.8, 2.6 before 2.6.8, and 2.7 before 2.7.12; Bamboo before 3.3.4 and 3.4…
2011-12-15
Medium
CVE-2011-4822
Multiple cross-site scripting (XSS) vulnerabilities in the user profile feature in Atlassian FishEye before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via (1) snippets in a u…
2005-12-03
Medium
CVE-2005-3967
Cross-site scripting (XSS) vulnerability in the dosearchsite.action module in Atlassian Confluence 2.0.1 Build 321 allows remote attackers to inject arbitrary web script or HTML via the searchQuery.q…