Stored XSS Vulnerability in Confluence Data Center and Server by Atlassian
CVE-2024-21686

8.7HIGH

Key Information:

Vendor: Atlassian
Status: Confluence Data Center; Confluence Server
Vendor: CVE Published:; 16 July 2024

What is CVE-2024-21686?

A stored cross-site scripting (XSS) vulnerability has been identified in Confluence Data Center and Server, affecting versions 7.13 and earlier. This vulnerability allows an authenticated attacker to inject and execute arbitrary HTML or JavaScript code in the context of a victim's browser. The exploitation of this vulnerability poses significant risks to the confidentiality and integrity of user data, necessitating immediate attention from affected users. Atlassian advises all customers running vulnerable versions to upgrade to the latest version. For users unable to upgrade, migrating to one of the specified fixed versions is strongly recommended. More details and release notes can be found in Atlassian's documentation.

Affected Version(s)

Confluence Data Center 8.9.0

Confluence Data Center 8.8.0 to 8.8.1

Confluence Data Center 8.7.1 to 8.7.2

References

https://confluence.atlassian.com/pages/viewpage.action?pa...

https://jira.atlassian.com/browse/CONFSERVER-96134

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

CVSS V3.0

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 16, 2024