We are in middle of production setup and held up with security scans in the test environment.
We are using Confluence 5.10.6 Commercial edition. During the dynamic scans, the Qualys tool found the following vulnerabilities.
1) 150001 Reflected Cross-Site Scripting (XSS) Vulnerabilities
a) XSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser.......
comment: A significant portion of the XSS test payload appeared in the web page, but the response content type is non-HTML.
Response content-type: application/json
Access path: https://xx.xx.com/plugins/servlet/Wallboard/?dashboardId=10000
2) 150022 Syntax Error Occurred
The reflected string on the response webpage indicates that the vulnerability test was successful
I remember passing these vulnerabilities scans for the internal network and for a custom web-application to comply with some security standard.
For vulnerabilities concerning 3-rd party webapplication like JIRA for you, we closed the holes by adding rules to proxy apache server. Please be aware that by doing this you can break JIRA functionality that relies on URL you closed.
This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.Read more
Atlas Camp is our developer event which will take place in Barcelona, Spain from the 6th -7th of September . This is a great opportunity to meet other developers and get n...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs