We wish to advise our customers of a cross-site scripting (XSS) vulnerability that affects the UI Button macro and UI Image macro macros. Affected versions are Refined Toolkit for Confluence Server 1.0 - 2.2.5.
...
This issue is resolved and released in version: Version 2.2.7. We strongly recommend you update to this version as soon as possible.
We'd like to thank Daniel Teuchert and Roman Ferdigg (discovery, analysis, coordination) from the SEC Consult Vulnerability Lab for responsibly reporting the identified issue and working with us as we addressed it.