Confluence
CVE-2018-13389
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
The attachment resource in Atlassian Confluence before version 6.6.1 allows remote attackers to spoof web content in the Mozilla Firefox Browser through attachments that have a content-type of application/rdf+xml.
AnalysisAI
The attachment resource in Atlassian Confluence before version 6.6.1 allows remote attackers to spoof web content in the Mozilla Firefox Browser through attachments that have a content-type of. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-20. The attachment resource in Atlassian Confluence before version 6.6.1 allows remote attackers to spoof web content in the Mozilla Firefox Browser through attachments that have a content-type of application/rdf+xml. Affected products include: Atlassian Confluence. Version information: version 6.6.1.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Confluence
View allAtlassian Confluence before 5.8.17 allows remote authenticated users to read configuration files via the decoratorName p
Atlassian JIRA before 5.0.1; Confluence before 3.5.16, 4.0 before 4.0.7, and 4.1 before 4.1.10; FishEye and Crucible bef
Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.10.6 allows remote attackers to inject arbitra
Cross-site scripting (XSS) vulnerability in Atlassian Confluence before 5.8.17 allows remote attackers to inject arbitra
The WebDAV endpoint in Atlassian Confluence Server and Data Center before version 6.6.7 (the fixed version for 6.6.x), f
There was a local file disclosure vulnerability in Confluence Server and Confluence Data Center via page exporting. Rate
Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creatin
XXE injection in Atlassian Crowd Data Center and Server 7.1.0+ enables authenticated attackers to read local and remote
Mattermost Confluence plugin version <1.7.0 fails to properly escape user-controlled display names in HTML template rend
There was a man-in-the-middle (MITM) vulnerability present in the Confluence Previews plugin in Confluence Server and Co
The RSS Feed macro in Atlassian Confluence before version 6.5.2 allows remote attackers to inject arbitrary HTML or Java
Atlassian Confluence Server before 5.9.11 has XSS on the viewmyprofile.action page. Rated medium severity (CVSS 5.4), th
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today