Stored XSS Vulnerability in Confluence Data Center by Atlassian
CVE-2024-21678

8.5HIGH

Key Information:

Vendor: Atlassian
Status: Confluence Data Center
Vendor: CVE Published:; 20 February 2024

What is CVE-2024-21678?

A Stored XSS vulnerability was introduced in version 2.7.0 of Confluence Data Center, allowing an authenticated attacker to execute arbitrary HTML or JavaScript code in the context of a victim's browser. This vulnerability potentially compromises user confidentiality, affecting data privacy and security. The issue has been reported through Atlassian's Bug Bounty program, prompting the vendor to recommend immediate upgrades to fixed versions to mitigate risks. Users are strongly advised to update to the latest available versions to protect against possible exploits.

Affected Version(s)

Confluence Data Center >= 2.7.0 < 2.7.0

Confluence Data Center >= 7.13.0 >= 7.13.0

Confluence Data Center >= 7.19.0 >= 7.19.0

References

https://confluence.atlassian.com/pages/viewpage.action?pa...

https://jira.atlassian.com/browse/CONFSERVER-94513

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 20, 2024
Vulnerability Reserved
Jan 1, 2024