CVE-2024-21686 — Vulnetix

CVE-2024-21686 PUBLISHED CVSS 7.300000190734863 HIGH

This High severity Stored XSS vulnerability was introduced in versions 7.13 of Confluence Data Center and Server. This Stored XSS vulnerability, with a CVSS Score of 7.3, allows an authenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser which has high impact to confidentiality, high impact to integrity, no impact to availability, and requires user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: \n h2. Data Center Atlassian recommends that Confluence Data Center customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions: |Affected versions|Fixed versions| |8.9.0|8.9.1| |from 8.8.0 to 8.8.1|8.9.1| |from 8.7.0 to 8.7.2|8.9.1| |from 8.6.0 to 8.6.2|8.9.1| |from 8.5.0 to 8.5.8 LTS|8.9.1 or 8.5.9 LTS recommended| |from 8.4.0 to 8.4.5|8.9.1 or 8.5.9 LTS recommended| |from 8.3.0 to 8.3.4|8.9.1 or 8.5.9 LTS recommended| |from 8.2.0 to 8.2.3|8.9.1 or 8.5.9 LTS recommended| |from 8.1.0 to 8.1.4|8.9.1 or 8.5.9 LTS recommended| |from 8.0.0 to 8.0.4|8.9.1 or 8.5.9 LTS recommended| |from 7.20.0 to 7.20.3|8.9.1 or 8.5.9 LTS recommended| |from 7.19.0 to 7.19.21 LTS|8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS| |from 7.18.0 to 7.18.3|8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS| |from 7.17.0 to 7.17.5|8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS| |Any earlier versions|8.9.1 or 8.5.9 LTS recommended or 7.19.22 LTS| \n h2. Server Atlassian recommends that Confluence Server customers upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions: |Affected versions|Fixed versions| |from 8.5.0 to 8.5.8 LTS|8.5.9 LTS recommended| |from 8.4.0 to 8.4.5|8.5.9 LTS recommended| |from 8.3.0 to 8.3.4|8.5.9 LTS recommended| |from 8.2.0 to 8.2.3|8.5.9 LTS recommended| |from 8.1.0 to 8.1.4|8.5.9 LTS recommended| |from 8.0.0 to 8.0.4|8.5.9 LTS recommended| |from 7.20.0 to 7.20.3|8.5.9 LTS recommended| |from 7.19.0 to 7.19.21 LTS|8.5.9 LTS recommended or 7.19.22 LTS| |from 7.18.0 to 7.18.3|8.5.9 LTS recommended or 7.19.22 LTS| |from 7.17.0 to 7.17.5|8.5.9 LTS recommended or 7.19.22 LTS| |Any earlier versions|8.5.9 LTS recommended or 7.19.22 LTS| See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives). This vulnerability was reported via our Bug Bounty program.

EPSS 3.33% · 87.2th percentile

Risk Scores

CVSS v3.0

7.300000190734863

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

EPSS Score

3.33%

87.2th percentile

Affected Products

Vendor	Product	Versions
Atlassian	Confluence Server
Atlassian	Confluence Data Center

Timeline

Jul 16, 2024 CVE Published
Jul 17, 2024 EPSS Score
Aug 7, 2024 EPSS Score
Aug 28, 2024 EPSS Score
Sep 19, 2024 EPSS Score
Oct 31, 2024 EPSS Score
Nov 21, 2024 EPSS Score
Dec 13, 2024 EPSS Score
Jan 4, 2025 EPSS Score
Jan 25, 2025 EPSS Score
Feb 15, 2025 EPSS Score
Mar 8, 2025 EPSS Score

References

https://jira.atlassian.com/browse/CONFSERVER-96134 issue

Open in Interactive Console →