CVE-2024-21686
This High severity Stored XSS vulnerability was introduced in versions 7.13 of Confluence Data Center and Server. This Stored XSS vulnerability, with a CVSS Score of 7.3, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: \n h2. Data Center Atlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions: |Affected versions|Fixed versions| |8.9.0|8.9.1| |from 8.8.0 to 8.8.1|8.9.1| |from 8.7.0 to 8.7.2|8.9.1| |from 8.6.0 to 8.6.2|8.9.1| |from 8.5.0 to 8.5.8 LTS|8.9.1 or 8.5.9 LTS recommended| |from 8.4.0 to 8.4.5|8.9.1 or 8.5.9 LTS recommended| |from 8.3.0 to 8.3.4|8.9.1 or 8.5.9 LTS recommended| |from 8.2.0 to 8.2.3|8.9.1 or 8.5.9 LTS recommended| |from 8.1.0 to 8.1.4|8.9.1 or 8.5.9 LTS recommended| |from 8.0.0 to 8.0.4|8.9.1 or 8.5.9 LTS recommended| |from 7.20.0 to 7.20.3|8.9.1 or 8.5.9 LTS recommended| |from 7.19.0 to 7.19.21 LTS|8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS| |from 7.18.0 to 7.18.3|8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS| |from 7.17.0 to 7.17.5|8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS| |Any earlier versions|8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS| \n h2. Server Atlassian recommends that Confluence Server customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions: |Affected versions|Fixed versions| |from 8.5.0 to 8.5.8 LTS|8.5.9 LTS recommended| |from 8.4.0 to 8.4.5|8.5.9 LTS recommended| |from 8.3.0 to 8.3.4|8.5.9 LTS recommended| |from 8.2.0 to 8.2.3|8.5.9 LTS recommended| |from 8.1.0 to 8.1.4|8.5.9 LTS recommended| |from 8.0.0 to 8.0.4|8.5.9 LTS recommended| |from 7.20.0 to 7.20.3|8.5.9 LTS recommended| |from 7.19.0 to 7.19.21 LTS|8.5.9 LTS recommended or 7.19.22 LTS| |from 7.18.0 to 7.18.3|8.5.9 LTS recommended or 7.19.22 LTS| |from 7.17.0 to 7.17.5|8.5.9 LTS recommended or 7.19.22 LTS| |Any earlier versions|8.5.9 LTS recommended or 7.19.22 LTS| See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives). This vulnerability was reported via our Bug Bounty program.
EPSS 2.57% · 85.8th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Atlassian | Confluence Server | |
| Atlassian | Confluence Data Center |
Timeline
- Jul 16, 2024 CVE Published
- Jul 17, 2024 EPSS Score
- Aug 8, 2024 EPSS Score
- Aug 30, 2024 EPSS Score
- Oct 12, 2024 EPSS Score
- Nov 3, 2024 EPSS Score
- Nov 25, 2024 EPSS Score
- Dec 17, 2024 EPSS Score
- Jan 8, 2025 EPSS Score
- Jan 30, 2025 EPSS Score
- Mar 14, 2025 EPSS Score
- Mar 19, 2025 CVE Updated