Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Security Vulnerability

umit.unal
umit.unal March 27, 2020

Hello all,

We hav confluence server in the office. The version is 7.1.2. When I try to run script on the search bar it executes the script. I think this is XSS vulnerability.

Is it negligence that we forgot to install some security package. Or is it security vulnerability on Confluence?

Can someone help with this?

Thanks in advance,

Umit.

Answer
Watch
Like Be the first to like this
491 views

2 answers

0 votes
umit.unal
umit.unal April 2, 2020

Hi Shannon,

Please go to docs.zerodensity.tv and find the search bar on top right.

Thanks!

Umit

View More Comments
Shannon S
Shannon S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 2, 2020

Hi Umit,

Thank you for providing the example.

It looks like you're using a theme from Scroll Viewport in order to generate that page, so it's not using the built-in Confluence search.

Could you test this without the Scroll Viewport page, possibly on your staging instance, and let me know if you still have the problem within Confluence? You may need to disable any customization as well.

I've tried testing this on my own Confluence Server site, but the script does not execute. Instead, a search is executed.

In the case with your site, if we use Developer Tools, we can see that the search your site is calling is this: 

https://docs.zerodensity.tv/main/search?q=%3Cscript%3Ealert(%271%27)%3C/script%3E&quicksearch=true

Whereas with Confluence, the search call would look like this:

(QuickNav vs Full Search)

http://*:8090/wiki/rest/api/search?cql=siteSearch%20~%20%22%3Cscript%3Ealert(%271%27)%3C%2Fscript%3E%22%20AND%20type%20in%20(%22space%22%2C%22user%22%2C%22page%22%2C%22blogpost%22%2C%22attachment%22)&start=0&limit=20&excerpt=highlight&expand=space.icon&includeArchivedSpaces=false&src=next.ui.search
http://*:8090/wiki/rest/quicknav/1/search?query=%3Cscript%3Ealert(%271%27)%3C%2Fscript%3E&limit=10&src=next.ui.search

Let me know if you have any questions about that.

Regards,

Shannon

Like
Reply
0 votes
Shannon S
Shannon S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 1, 2020

Hi Umit,

Welcome to Atlassian Community. It's nice to have you join us!

Could you show me the example of the script you're trying to run? What is the expected behavior rather than it executing the script?

I'd like to test this myself so I can confirm with you and let you know if there's anything you need to enable in your administration.

Regards,

Shannon

View More Comments
umit.unal
umit.unal April 1, 2020

Hi Shannon,

Thanks for your answer! It's very simple script like <script>alert('1')</script>. I could not believe in my eyes..

1.PNG

Like
Shannon S
Shannon S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 2, 2020

Hi Umit,

Thank you for providing that screenshot and the example of the script.

Can you let me know what search bar that is? The Confluence search bar looks like this:

CleanShot 2020-04-02 at 13.16.54.png

The example you sent me doesn't look familiar. Can you let me know where within Confluence I should go to replicate your issue?

By the way, this past spring, we did have a few security vulnerabilities announced in Confluence. You can find out more about that by reading Confluence CVEs and Common Questions. However, your version of 7.1.2 is new enough that you should not be affected by this.

Let me know if you have any questions!

Regards,

Shannon

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security