Confluence セキュリティ勧告 - 2008-01-24

Confluence のセキュリティの概要とアドバイザリ



アトラシアン コミュニティをご利用ください。


In this advisory:

ダッシュボード アクションでの XSS 脆弱性


Atlassian rates this vulnerability as high, according to the scale published in Confluence Security. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed a security flaw which may affect Confluence instances in a public environment. This flaw is an XSS (cross-site scripting) vulnerability in a Confluence action, which potentially allows a malicious user (hacker) to embed their own JavaScript into a Confluence page.

  • The hacker might take advantage of this flaw to steal other users' session cookies or other credentials, by sending the credentials back to the hacker's own web server.
  • The hacker's text and script might be displayed to other people viewing the Confluence page. This is potentially damaging to your company's reputation.

To fix the vulnerabilities described below, Atlassian recommends that you take one of the following steps:

  • Upgrade to Confluence 2.7.1, or
  • Download and install the patch for Confluence 2.6.2 or Confluence 2.7.0 from our JIRA site – see issue CONF-10289.

You can read more about XSS attacks at cgisecurity, CERT and other places on the web.

Risk Mitigation

If you judge it necessary, you can disable public access (e.g. anonymous access and public signon) to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups only.


A hacker can inject their own JavaScript into the following Confluence action:


The above Confluence action is used to determine which spaces are listed on a user's Dashboard. For example, the following URL requests a list of team spaces only:


The action is invoked when a user selects one of the 'Spaces' tabs on the Dashboard, such as the 'Team' tab. It can also be invoked by simply entering the URL into the browser address bar.


These issues have been fixed in Confluence 2.7.1 (see the release notes), which you can download from the download centre.

A patch is available for Confluence 2.6.2 and Confluence 2.7.0. For more information, please see CONF-10289.

この問題を Atlassian に報告くださった Mary Johnson 様に感謝いたします。当社では脆弱性の報告を完全にサポートしており、問題の特定と解決に対する彼女の協力に感謝しています。

Please let us know what you think of the format of this security advisory and the information we have provided.

最終更新日 2008 年 9 月 29 日


Powered by Confluence and Scroll Viewport.