CVE-2020-36290
MEDIUMConfluence Data Center and Server < 7.4.5, 7.5.0-7.6.3, 7.7.0-7.7.4 - Stored Cross-Site Scripting in Livesearch Macro
Title source: llmDescription
The Livesearch macro in Confluence Server and Data Center before version 7.4.5, from version 7.5.0 before 7.6.3, and from version 7.7.0 before version 7.7.4 allows remote attackers with permission to edit a page or blog to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the page excerpt functionality.
References (1)
Core 1
Core References
Issue Tracking, Vendor Advisory x_refsource_misc
https://jira.atlassian.com/browse/CONFSERVER-60118
Scores
CVSS v3
5.4
EPSS
0.0046
EPSS Percentile
64.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
atlassian/confluence_data_center
< 7.4.5
atlassian/confluence_server
< 7.4.5
Published
Jul 26, 2022
Tracked Since
Feb 18, 2026