CVE-2020-36290Cross-site Scripting in Atlassian Confluence Data Center

CWE-79Cross-site Scripting3 documents3 sources
Severity
5.4MEDIUMNVD
EPSS
0.5%
top 35.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Atlassian Confluence Data CenterAtlassian Confluence Server
Timeline
PublishedJul 26
Latest updateJul 27

Description

The Livesearch macro in Confluence Server and Data Center before version 7.4.5, from version 7.5.0 before 7.6.3, and from version 7.7.0 before version 7.7.4 allows remote attackers with permission to edit a page or blog to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the page excerpt functionality.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

CVEListV5atlassian/confluence_data_centerunspecified7.4.5+4
NVDatlassian/confluence_data_center7.5.07.6.3+2
CVEListV5atlassian/confluence_serverunspecified7.4.5+4
NVDatlassian/confluence_server7.5.07.6.3+2

🔴Vulnerability Details

2
GHSA
GHSA-9r83-5mrw-rhhq: The Livesearch macro in Confluence Server and Data Center before version 72022-07-27
CVEList
CVE-2020-36290: The Livesearch macro in Confluence Server and Data Center before version 72022-07-26
CVE-2020-36290 — Cross-site Scripting in Atlassian | cvebase