High Severity Reflected XSS and CSRF Vulnerability Affects Atlassian Confluence Products
CVE-2024-21690

7.1HIGH

Key Information:

Vendor: Atlassian
Status: Confluence Data Center; Confluence Server
Vendor: CVE Published:; 21 August 2024

What is CVE-2024-21690?

The vulnerability allows unauthenticated attackers to execute arbitrary HTML or JavaScript code in the browser of a victim user. This gained access permits attackers to trigger unwanted actions in web applications where the user is currently authenticated, posing significant risks to user confidentiality. The flaw is linked to certain versions of Atlassian Confluence Data Center and Server, which span across major version releases from 7.19.x to 8.9.x. Users are advised to upgrade to specified fixed versions to mitigate potential exploitation. Refer to the release notes for more detailed guidance on upgrading.

Affected Version(s)

Confluence Data Center 8.9.0 to 8.9.5

Confluence Data Center 8.8.0 to 8.8.1

Confluence Data Center 8.7.1 to 8.7.2

References

https://confluence.atlassian.com/pages/viewpage.action?pa...

https://jira.atlassian.com/browse/CONFSERVER-97720

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 21, 2024
Vulnerability Reserved
Jan 1, 2024