CVE-2020-29444 — Cross-site Scripting in Atlassian Confluence Server

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

5.4MEDIUMNVD

EPSS

0.3%

top 49.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Atlassian Confluence Server Atlassian Confluence Data Center

Timeline

PublishedMay 7

Latest updateMay 24

Description

Affected versions of Team Calendar in Confluence Server before 7.11.0 allow attackers to inject arbitrary HTML or Javascript via a Cross Site Scripting Vulnerability in admin global setting parameters.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5atlassian/confluence_serverunspecified — 7.11.0

▶NVDatlassian/confluence_server< 7.11.0

▶NVDatlassian/confluence_data_center< 7.11.0

🔴Vulnerability Details

GHSA

GHSA-xvv9-f9hm-rghr: Affected versions of Team Calendar in Confluence Server before 7↗2022-05-24

▶

CVEList

CVE-2020-29444: Affected versions of Team Calendar in Confluence Server before 7↗2021-05-07

▶