SynopsisThe remote Confluence server is affected by multiple vulnerabilities.
DescriptionVersions of Confluence 5.8.x prior to 5.8.6 are affected by multiple vulnerabilities :
- A flaw exists that is triggered during the handling of disabled user accounts. This may allow a user with a disabled account still to receive unintended notifications that contain sensitive information.
- A flaw exists that allows a stored cross-site scripting (XSS) attack. This flaw exists because the comment module does not validate input when handling comments in embedded SWF files before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
SolutionUpgrade to Confluence 5.8.x version 5.8.6 or later.