Description
Atlassian Confluence version 5.9.12 is vulnerable to persistent cross site scripting because it fails to securely validate user controlled data, thus making it possible for an attacker to supply crafted input in order to harm users. The bug occurs at pages carrying attached files, even though the attached file name parameter is correctly sanitized upon submission, it is possible for an attacker to later edit the attached file name property and supply crafted data (i.e HTML tags and script code) without the occurrence of any security checks, resulting in an exploitable persistent cross site scripting injection.
Remediation
Upgrade Confluence to version 5.10.6 or above (recommended)
References
Related Vulnerabilities
WordPress Plugin Gallery-Video Gallery and Youtube Gallery Cross-Site Scripting (1.7.01)
WordPress Plugin Jigoshop Information Disclosure (1.17.9)
WordPress Plugin BP Code Snippets Cross-Site Scripting (2.0)
WordPress Plugin WP Academic People List Cross-Site Scripting (0.4.1)
WordPress Plugin Import Social Events Cross-Site Scripting (1.6.6)