CVE-2024-21686

moderate-risk

Published 2024-07-16

This High severity Stored XSS vulnerability was introduced in versions 7.13 of Confluence Data Center and Server. This Stored XSS vulnerability, with a CVSS Score of 7.3, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions listed on this CVE See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives). This vulnerability was reported via our Bug Bounty program.

Do I need to act?

3.3% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.7/10 High

NETWORK / LOW complexity

Affected Products (2)

Confluence Data Center

Confluence Server

Affected Vendors

Atlassian

References (4)

Vendor Advisory https://confluence.atlassian.com/pages/viewpage.action?pageId=1417150917

Issue Tracking https://jira.atlassian.com/browse/CONFSERVER-96134

Vendor Advisory https://confluence.atlassian.com/pages/viewpage.action?pageId=1417150917

Issue Tracking https://jira.atlassian.com/browse/CONFSERVER-96134

/ 100

moderate-risk

Severity 30/34 · Critical

Exploitability 7/34 · Low

Exposure 7/34 · Low