CVE-2019-20102 — Cross-site Scripting in Atlassian Confluence Server

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

0.4%

top 38.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Atlassian Confluence Server

Timeline

PublishedApr 22

Latest updateMay 24

Description

The attachment-uploading feature in Atlassian Confluence Server from version 6.14.0 through version 6.14.3, and version 6.15.0 before version 6.15.5 allows remote attackers to achieve stored cross-site- scripting (SXSS) via a malicious attachment with a modified `mimeType` parameter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶CVEListV5atlassian/confluence_server6.14.0 — unspecified+3

▶NVDatlassian/confluence_server6.15.0 — 6.15.5+1

🔴Vulnerability Details

GHSA

GHSA-65gh-pwxv-875j: The attachment-uploading feature in Atlassian Confluence Server from version 6↗2022-05-24

▶

CVEList

CVE-2019-20102: The attachment-uploading feature in Atlassian Confluence Server from version 6↗2020-04-22

▶