Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal


  • Give kudos
  • Received
  • Given


  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Confluence Security issue raised after VAPT

First Issue: 

Finding Description:
During our assessment it was identified that the web application contains HTML forms field
with an input of type 'password' where 'autocomplete' is not set to 'off'. While this does not
represent a risk to this web server per se, it does mean that users who use the affected
forms may have their credentials saved in their browsers, which could in turn lead to a loss
of confidentiality, if any of them use a shared host or their machine is compromised at
some point. The issue was identified under the following URLs:

Affected URLs

Ease of Identification:
The vulnerability was identified with the use of a common web browser.
Ease of Exploitation:
The vulnerability is not directly exploitable per se, but rather in correlation with other factors
(e.g. by gaining access to the end-user workstation).
Potential Impact: Low
Dumping all data from a browser can be fairly easy, as attackers can use a number of
readily available automated tools.
Exposure Level: Very Low
The exposure level is considered Very low.

Corrective Actions: Add the attribute 'autocomplete=off' to password prevent browsers from caching credentials.


Second Issue:


During our assessment, we identified the following outdated JavaScript libraries being in
use, which are susceptible to a number of vulnerabilities. Specifically, the libraries identified
are the following:

Affected URL Version
_super/batch.js?locale=fr-FR – JQuery 1.7.2

Note: The aforementioned JavaScript libraries are outdated hence considered vulnerable;
however, it is uncertain whether the exposed/used functionalities of the libraries are
actually being used. As a result, the actual vulnerabilities cannot be verified.

Ease of Identification:
The identification is fairly easy, by monitoring and identifying the vulnerable versions of the
libraries. The ease of identification is considered very high.
Ease of Exploitation:
The exploitation of the vulnerabilities depends on specific functionality within the libraries
being used in the site/application code.

Potential Impact:
An attacker could potentially exploit various vulnerabilities in the affected libraries such as
Cross Site Scripting. These vulnerabilities do not target the server but rather its users. The
impacts of such attack can range from the disclosure of the user’s sensitive information to
execution of arbitrary code on the target user’s system.
Exposure Level:
The exposure level is considered very low.

*Corrective Actions: *Consider updating the affected libraries to the latest version.

1 answer

0 votes

You would need to pull apart Confluence and rebuild it with a set of unsupported code changes to implement this.

Two big impacts here are

  • A lot of software uses password autocomplete as part of "passport safe" functions.  You absolutely do not want to remove this because people who use passport safes are more secure than people who do not.  I have complex and unique passwords in my safe, which is more secure than re-using or sharing passwords or writing them down somewhere obvious. 
  • You will be making upgrading and patching harder for yourself, but more importantly, you will sacrifice vendor support - the instant you do this, you are unsupported, which is a very large security risk (Atlassian will still try to help, but they are under no obligation if you've put unsupported changes into their software)

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted in Confluence

What do you think is the most *delightful* Confluence feature? Comment for a prize!

- Create your own custom emoji 🔥 - "Shake for Feedback" on mobile 📱 - An endless supply of GIFs via GIPHY 🤩 Is there anything quite as nice as a pleasant surprise? Comment below with what...

480 views 24 9
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you