High Severity Reflected XSS and CSRF Vulnerability Affects Atlassian Confluence Products
CVE-2024-21690

7.1HIGH

Key Information:

Vendor
Atlassian
Vendor
CVE Published:
21 August 2024

Summary

The vulnerability allows unauthenticated attackers to execute arbitrary HTML or JavaScript code in the browser of a victim user. This gained access permits attackers to trigger unwanted actions in web applications where the user is currently authenticated, posing significant risks to user confidentiality. The flaw is linked to certain versions of Atlassian Confluence Data Center and Server, which span across major version releases from 7.19.x to 8.9.x. Users are advised to upgrade to specified fixed versions to mitigate potential exploitation. Refer to the release notes for more detailed guidance on upgrading.

Affected Version(s)

Confluence Data Center 8.9.0 to 8.9.5

Confluence Data Center 8.8.0 to 8.8.1

Confluence Data Center 8.7.1 to 8.7.2

References

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.