Security advisory 2018-05-15

Owned by Johannes Laatu (Deactivated)
Last updated: Jan 04, 2023 by Madzy Soetman
1 min read

Security alert

We have found a cross-site scripting (XSS) vulnerability in the global menu feature. Affected versions are RefinedTheme for Confluence 3.0.0 - 5.1.18.

Risk assessment

We have identified and fixed a cross-site scripting (XSS) vulnerability which may affect Confluence instances, including publicly available instances (that is, internet-facing servers). This XSS vulnerability potentially allows an attacker to embed their own JavaScript into a global menu item which is rendered on all pages. The attacker needs to have Confluence Admin permissions to be able to insert a link with malicious JavaScript code into a global menu item.

Read more about XSS attacks.

If you have any questions regarding this matter please contact us.

Fixed versions

This issue is resolved and released in version: 5.1.19 and 6.0.0. We strongly recommend you update to one of these versions.Â