Stored XSS in Atlassian Confluence DC/Server 7.13
CVE-2024-21686 Published on July 16, 2024

This High severity Stored XSS vulnerability was introduced in versions 7.13 of Confluence Data Center and Server. This Stored XSS vulnerability, with a CVSS Score of 7.3, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions listed on this CVE See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives). This vulnerability was reported via our Bug Bounty program.

NVD

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2024-21686 has been classified to as a XSS vulnerability or weakness.

Products Associated with CVE-2024-21686

Want to know whenever a new CVE is published for Atlassian Confluence? stack.watch will email you.

Atlassian Confluence

Affected Versions

Atlassian Confluence Data Center:

Version 8.9.0 is affected.
Version 8.8.0 to 8.8.1 is affected.
Version 8.7.1 to 8.7.2 is affected.
Version 8.6.0 to 8.6.2 is affected.
Version 8.5.0 to 8.5.8 is affected.
Version 8.4.0 to 8.4.5 is affected.
Version 8.3.0 to 8.3.4 is affected.
Version 8.2.0 to 8.2.3 is affected.
Version 8.1.0 to 8.1.4 is affected.
Version 8.0.0 to 8.0.4 is affected.
Version 7.20.0 to 7.20.3 is affected.
Version 7.19.0 to 7.19.21 is affected.
Version 8.9.1 to 8.9.4 is unaffected.
Version 8.5.9 to 8.5.12 is unaffected.
Version 7.19.22 to 7.19.25 is unaffected.

Atlassian Confluence Server:

Version 8.5.0 to 8.5.8 is affected.
Version 8.4.0 to 8.4.5 is affected.
Version 8.3.0 to 8.3.4 is affected.
Version 8.2.0 to 8.2.3 is affected.
Version 8.1.0 to 8.1.4 is affected.
Version 8.0.0 to 8.0.4 is affected.
Version 7.20.0 to 7.20.3 is affected.
Version 7.19.0 to 7.19.21 is affected.
Version 8.5.9 to 8.5.12 is unaffected.
Version 7.19.22 to 7.19.25 is unaffected.

atlassian confluence_data_center:

Version 8.9.0 is affected.
Version 8.8.0, <= 8.8.1 is affected.
Version 8.7.1, <= 8.7.2 is affected.
Version 8.6.0, <= 8.6.2 is affected.
Version 8.5.0, <= 8.5.8 is affected.
Version 8.4.0, <= 8.4.5 is affected.
Version 8.3.0, <= 8.3.4 is affected.
Version 8.2.0, <= 8.2.3 is affected.
Version 8.1.0, <= 8.1.4 is affected.
Version 8.0.0, <= 8.0.4 is affected.
Version 7.20.0, <= 7.20.3 is affected.
Version 7.19.0, <= 7.19.21 is affected.
Version 8.9.1, <= 8.9.4 is affected.
Version 8.5.9, <= 8.5.12 is affected.
Version 7.19.22, <= 7.19.25 is affected.

atlassian confluence_server:

Version 8.5.0, <= 8.5.8 is affected.
Version 8.4.0, <= 8.4.5 is affected.
Version 8.3.0, <= 8.3.4 is affected.
Version 8.2.0, <= 8.2.3 is affected.
Version 8.1.0, <= 8.1.4 is affected.
Version 8.0.0, <= 8.0.4 is affected.
Version 7.20.0, <= 7.20.3 is affected.
Version 7.19.0, <= 7.19.21 is affected.
Version 8.5.9, <= 8.5.12 is affected.
Version 7.19.22, <= 7.19.25 is affected.

Exploit Probability

EPSS

2.88%

Percentile

86.07%