Description
Atlassian Confluence version 5.9.12 is vulnerable to persistent cross site scripting because it fails to securely validate user controlled data, thus making it possible for an attacker to supply crafted input in order to harm users. The bug occurs at pages carrying attached files, even though the attached file name parameter is correctly sanitized upon submission, it is possible for an attacker to later edit the attached file name property and supply crafted data (i.e HTML tags and script code) without the occurrence of any security checks, resulting in an exploitable persistent cross site scripting injection.
Remediation
Upgrade Confluence to version 5.10.6 or above (recommended)
References
Related Vulnerabilities
WordPress Plugin WP SimpleMail Multiple Cross-Site Scripting Vulnerabilities (1.0.6)
WordPress Plugin Gravity Forms FreshDesk Cross-Site Scripting (1.2.8)
WordPress Plugin Events Manager Cross-Site Scripting (5.9.5)
WordPress Plugin GarageSale Cross-Site Scripting (1.2.2)
WordPress Plugin Post Lists View Custom Cross-Site Scripting (1.7.1)