Detections
Analytics
Atlassian Confluence Server < 5.7 Reflected Static Content Injection
low Nessus Network Monitor Plugin ID 9642
Synopsis
The remote Confluence server is affected by a reflected static content injection vulnerability.Description
Versions of Confluence prior to 5.7 contain a flaw that exists in 'plugins/recently-updated/changes.action' that is triggered as input passed via the 'theme' parameter is not properly sanitized. This may allow a remote attacker to reflect arbitrary static content to the browser.Solution
Upgrade to Confluence version 5.7 or later.See Also
https://jira.atlassian.com/browse/CONF-35189
Plugin Details
Severity: Low
ID: 9642
Family: CGI
Published: 10/14/2016
Updated: 3/6/2019
Risk Information
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Temporal Score: 3.7
Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS v3
Risk Factor: Low
Base Score: 3.7
Temporal Score: 3.6
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:atlassian:confluence
Patch Publication Date: 11/17/2014
Vulnerability Publication Date: 4/30/2015