his High severity Stored XSS vulnerability was introduced in version 2.7.0 of Confluence Data Center. This Stored XSS vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires no user interaction. Data Center Atlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions: ||Affected versions||Fixed versions|| |from 8.7.0 to 8.7.1|8.8.0 recommended or 8.7.2| |from 8.6.0 to 8.6.1|8.8.0 recommended| |from 8.5.0 to 8.5.4 LTS|8.8.0 recommended or 8.5.5 LTS or 8.5.6 LTS| |from 8.4.0 to 8.4.5|8.8.0 recommended or 8.5.6 LTS| |from 8.3.0 to 8.3.4|8.8.0 recommended or 8.5.6 LTS| |from 8.2.0 to 8.2.3|8.8.0 recommended or 8.5.6 LTS| |from 8.1.0 to 8.1.4|8.8.0 recommended or 8.5.6 LTS| |from 8.0.0 to 8.0.4|8.8.0 recommended or 8.5.6 LTS| |from 7.20.0 to 7.20.3|8.8.0 recommended or 8.5.6 LTS| |from 7.19.0 to 7.19.17 LTS|8.8.0 recommended or 8.5.6 LTS or 7.19.18 LTS or 7.19.19 LTS| |from 7.18.0 to 7.18.3|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS| |from 7.17.0 to 7.17.5|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS| |Any earlier versions|8.8.0 recommended or 8.5.6 LTS or 7.19.19 LTS| Server Atlassian recommends that Confluence Server customers upgrade to the latest 8.5.x LTS version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions: ||Affected versions||Fixed versions|| |from 8.5.0 to 8.5.4 LTS|8.5.5 LTS or 8.5.6 LTS recommended | |from 8.4.0 to 8.4.5|8.5.6 LTS recommended| |from 8.3.0 to 8.3.4|8.5.6 LTS recommended| |from 8.2.0 to 8.2.3|8.5.6 LTS recommended| |from 8.1.0 to 8.1.4|8.5.6 LTS recommended| |from 8.0.0 to 8.0.4|8.5.6 LTS recommended| |from 7.20.0 to 7.20.3|8.5.6 LTS recommended| |from 7.19.0 to 7.19.17 LTS|8.5.6 LTS recommended or 7.19.18 LTS or 7.19.19 LTS| |from 7.18.0 to 7.18.3|8.5.6 LTS recommended or 7.19.19 LTS| |from 7.17.0 to 7.17.5|8.5.6 LTS recommended or 7.19.19 LTS| |Any earlier versions|8.5.6 LTS recommended or 7.19.19 LTS| See the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]). You can download the latest version of Confluence Data Center from the download center ([https://www.atlassian.com/software/confluence/download-archives]). This vulnerability was reported via our Bug Bounty program.
| Link | Resource |
|---|---|
| https://confluence.atlassian.com/pages/viewpage.action?pageId=1354501606 | Vendor Advisory |
| https://jira.atlassian.com/browse/CONFSERVER-94513 | Issue Tracking Vendor Advisory |
| https://confluence.atlassian.com/pages/viewpage.action?pageId=1354501606 | Vendor Advisory |
| https://jira.atlassian.com/browse/CONFSERVER-94513 | Issue Tracking Vendor Advisory |
Configuration 1 (hide)
|
06 May 2025, 14:52
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:atlassian:confluence_data_center:*:*:*:*:*:*:*:* cpe:2.3:a:atlassian:confluence_server:*:*:*:*:*:*:*:* |
|
| References | () https://confluence.atlassian.com/pages/viewpage.action?pageId=1354501606 - Vendor Advisory | |
| References | () https://jira.atlassian.com/browse/CONFSERVER-94513 - Issue Tracking, Vendor Advisory | |
| First Time |
Atlassian confluence Server
Atlassian confluence Data Center Atlassian |
21 Nov 2024, 08:54
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://confluence.atlassian.com/pages/viewpage.action?pageId=1354501606 - | |
| References | () https://jira.atlassian.com/browse/CONFSERVER-94513 - |
31 Oct 2024, 16:35
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-79 |
Published : 2024-02-20 18:15
Updated : 2025-05-06 14:52
NVD link : CVE-2024-21678
Mitre link : CVE-2024-21678
CVE.ORG link : CVE-2024-21678
JSON object : View
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')