Atlassian Confluence fixes High Severity XSS Flaw – CVE-2024-21678

Atlassian has released a security update addressing CVE-2024-21678 with a CVSS score of 8.5, a high-severity stored cross-site scripting vulnerability impacting multiple Confluence Server and Data Center versions.

This flaw “allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires no user interaction.”

Successful exploitation of this XSS flaw requires attacker authentication but carries significant consequences:

• Session Hijacking: Attackers could steal authentication credentials and session tokens, allowing them to escalate privileges and gain unauthorized access to sensitive Confluence data.
• Data Integrity Compromise: Malicious content can be injected, potentially defacing the Confluence instance, misdirecting users, and damaging trust in the platform.
• Lateral Movement: An XSS foothold can act as a springboard for further attacks within the organization’s network, potentially leading to data exfiltration or ransomware deployment.

CVE-2024-21678 first emerged in Confluence Data Center version 2.7.0. For users of Confluence Data Center, Atlassian advises updating to the most recent release. Should that prove infeasible, opt for an upgrade to one of the designated, officially supported versions.

For Confluence Server clientele, the recommendation is to proceed with an update to the newest version within the 8.5.x LTS series. If this is not possible, selecting one of the officially endorsed versions for an upgrade is advisable.