CVE-2017-16856
MEDIUMAtlassian Confluence < 6.5.2 - Stored Cross-Site Scripting via RSS Feed Macro
Title source: llmDescription
The RSS Feed macro in Atlassian Confluence before version 6.5.2 allows remote attackers to inject arbitrary HTML or JavaScript via cross site scripting (XSS) vulnerabilities in various rss properties which were used as links without restriction on their scheme.
References (2)
Core 2
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://jira.atlassian.com/browse/CONFSERVER-54395
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/102094
Scores
CVSS v3
6.1
EPSS
0.0019
EPSS Percentile
40.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (2)
atlassian/confluence
< 6.5.2
Atlassian/Confluence
All versions prior to version 6.5.2
Published
Dec 05, 2017
Tracked Since
Feb 18, 2026