Dear customers,
We are writing to inform you of a newly-discovered security vulnerability that we have found and fixed in a recent version of Confluence.
* Customers who have downloaded and installed Confluence should upgrade their existing Confluence installations to fix this vulnerability.
* Enterprise Hosted customers need to request an upgrade by raising a support request at
http://support.atlassian.com in the "Enterprise Hosting Support" project.
* Atlassian OnDemand and JIRA Studio customers are not affected by any of the issues described in this advisory.
Atlassian is committed to improving product security. The vulnerability listed in this advisory has been discovered by Atlassian, unless noted otherwise. The reporter may also have requested that we do not credit them.
For your convenience, we have included the entire security advisory in this email. To view the online version of this security advisory, please go to
https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2012-09-04
If you have questions or concerns regarding this advisory, please raise a support request at
http://support.atlassian.com/.
*** Security advisory ***
*XSS Vulnerability*
Severity -- Atlassian rates the severity level of this vulnerability as High, according to the scale published in Severity Levels for Security Issues:
http://confluence.atlassian.com/display/DOC/Severity+Levels+for+Security+Issues. The scale allows us to rank the severity as critical, high, medium or low. This is an independent assessment and you should evaluate its applicability to your own IT environment. This vulnerability is not of Critical severity.
Description -- We have identified and fixed a reflected cross-site scripting (XSS) vulnerability that affects Confluence instances, including publicly available instances (that is, Internet-facing servers). XSS vulnerabilities allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at
http://www.cgisecurity.com/articles/xss-faq.shtml, http://projects.webappsec.org/Cross-Site+Scripting and other places on the web. This vulnerability affects all supported versions of Confluence and has been fixed in Confluence 4.1.9. This issue can be tracked here:
https://jira.atlassian.com/browse/CONF-26366
Risk Mitigation -- We strongly recommend upgrading your Confluence installation to fix this vulnerability. Please see the 'Fix' section below.
Fix -- The vulnerability and fix version are described in the 'Description' section above. We recommend that you upgrade to Confluence 4.1.9 or later, if possible. For a full description of the latest version of Confluence, see the release notes:
http://confluence.atlassian.com/display/DOC/Confluence+Release+Notes. You can download the latest version of Confluence from the download centre:
http://www.atlassian.com/software/confluence/ConfluenceDownloadCenter.jspa. Patches are not available for this vulnerability.
Our thanks to D. Niedermaier of Intrest SEC who reported the XSS vulnerability mentioned in this section. We fully support the reporting of vulnerabilities and we appreciate it when people work with us to identify and solve the problem.
Kind regards,
Atlassian