Atlassian Confluence Stored Cross Site Scripting
Description
Atlassian Confluence version 5.9.12 contains a stored cross-site scripting (XSS) vulnerability in the file attachment functionality. While the application properly sanitizes file names during the initial upload process, it fails to validate input when users later edit the file name property. This allows authenticated attackers to inject malicious HTML and JavaScript code through the file name field, which is then persistently stored and executed in the browsers of other users who view pages containing the affected attachments.
Remediation
Upgrade Atlassian Confluence to version 5.10.6 or later, which addresses this vulnerability. Organizations should follow these steps:
1. Review the Atlassian security advisory and plan a maintenance window for the upgrade
2. Back up your Confluence instance and database before proceeding
3. Download and install Confluence version 5.10.6 or the latest stable release from the Atlassian website
4. After upgrading, audit existing file attachments for suspicious file names containing HTML or JavaScript code
5. Consider implementing Content Security Policy (CSP) headers as an additional defense-in-depth measure
If immediate patching is not possible, restrict file attachment editing permissions to trusted users only as a temporary mitigation.