Description
Atlassian Confluence version 5.9.12 is vulnerable to persistent cross site scripting because it fails to securely validate user controlled data, thus making it possible for an attacker to supply crafted input in order to harm users. The bug occurs at pages carrying attached files, even though the attached file name parameter is correctly sanitized upon submission, it is possible for an attacker to later edit the attached file name property and supply crafted data (i.e HTML tags and script code) without the occurrence of any security checks, resulting in an exploitable persistent cross site scripting injection.
Remediation
Upgrade Confluence to version 5.10.6 or above (recommended)
References
Related Vulnerabilities
WordPress Plugin Chained Quiz Multiple Cross-Site Scripting Vulnerabilities (0.9.8)
GlassFish admin console weak credentials
WordPress Plugin Testimonials by BestWebSoft Cross-Site Scripting (0.1.8)
WordPress Plugin Magic Fields 2 Cross-Site Scripting (2.3.2.4)
WordPress Plugin WP Import Export Lite Information Disclosure (3.9.15)