Security Alert
We have found a cross-site scripting (XSS) vulnerability in the global menu feature. Affected versions are RefinedTheme for Confluence 3.0.0 - 5.1.18.
Risk Assessment
We have identified and fixed a cross-site scripting (XSS) vulnerability which may affect Confluence instances, including publicly available instances (that is, internet-facing servers). This XSS vulnerability potentially allows an attacker to embed their own JavaScript into a global menu item which is rendered on all pages. The attacker needs to have Confluence Admin permissions to be able to insert a link with malicious JavaScript code into a global menu item.
You can read more about XSS attacks at http://www.cgisecurity.com/articles/xss-faq.shtml
If you have any questions regarding this matter please contact us at support@refinedwiki.com.
Fixed Versions
This issue is resolved and released in version: 5.1.19 and 6.0.0. We strongly recommend you update to one of these versions.