Description
Atlassian Confluence version 5.9.12 is vulnerable to persistent cross site scripting because it fails to securely validate user controlled data, thus making it possible for an attacker to supply crafted input in order to harm users. The bug occurs at pages carrying attached files, even though the attached file name parameter is correctly sanitized upon submission, it is possible for an attacker to later edit the attached file name property and supply crafted data (i.e HTML tags and script code) without the occurrence of any security checks, resulting in an exploitable persistent cross site scripting injection.
Remediation
Upgrade Confluence to version 5.10.6 or above (recommended)
References
Related Vulnerabilities
WordPress Plugin Log Emails Information Disclosure (1.0.6)
WordPress Plugin Export Post Info Cross-Site Scripting (1.1.0)
WordPress Plugin Genesis Simple Share Cross-Site Scripting (1.0.6)
WordPress Plugin Events Manager Extended Multiple HTML Injection Vulnerabilities (3.1.2)
WordPress Plugin Login with Azure (Azure SSO) Cross-Site Scripting (1.4.4)