How to fix CVE-2025-13523?

Within 24 hours: Disable the Mattermost Confluence plugin and notify users not to accept new Confluence connection requests until patched. Within 7 days: Audit user access logs for suspicious OAuth2 connection activity and monitor for any JavaScript execution anomalies. Within 30 days: Implement content security policy (CSP) headers to mitigate XSS impact, apply vendor patch immediately upon release, and conduct security awareness training on phishing/malicious link risks.

Is Confluence affected by CVE-2025-13523?

A stored cross-site scripting (XSS) vulnerability in Mattermost's Confluence plugin allows authenticated attackers to inject malicious code through specially crafted OAuth2 links, potentially compromising user sessions and enabling credential theft or lateral movement.

CVE-2025-13523

HIGH

2026-02-06 [email protected]

GHSA-ffx7-34p2-vm3w

7.7

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Feb 06, 2026 - 16:16 nvd

HIGH 7.7

Description

Mattermost Confluence plugin version <1.7.0 fails to properly escape user-controlled display names in HTML template rendering which allows authenticated Confluence users with malicious display names to execute arbitrary JavaScript in victim browsers via sending a specially crafted OAuth2 connection link that, when visited, renders the attacker's display name without proper sanitization. Mattermost Advisory ID: MMSA-2025-00557

Analysis

Technical Context

Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Confluence. Mattermost Confluence plugin version <1.7.0 fails to properly escape user-controlled display names in HTML template rendering which allows authenticated Confluence users with malicious display names to execute arbitrary JavaScript in victim browsers via sending a specially crafted OAuth2 connection link that, when visited, renders the attacker's display name without proper sanitization. Mattermost Advisory ID: MMSA-2025-00557

Affected Products

Vendor: Mattermost. Product: Confluence.

Remediation

Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: 0

Vendor Status

CVE-2025-13523 vulnerability details – vuln.today

Back

CVE-2025-13523

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-13523

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code