CVE-2020-36290

Summary

The Livesearch macro in Confluence Server and Data Center before version 7.4.5, from version 7.5.0 before 7.6.3, and from version 7.7.0 before version 7.7.4 allows remote attackers with permission to edit a page or blog to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the page excerpt functionality.

Affected Software

VendorProductVersion RangeStatus
AtlassianConfluence Serverunspecified < 7.4.5affected
AtlassianConfluence Server7.5.0 < unspecifiedaffected
AtlassianConfluence Serverunspecified < 7.6.3affected
AtlassianConfluence Server7.7.0 < unspecifiedaffected
AtlassianConfluence Serverunspecified < 7.7.4affected
AtlassianConfluence Data Centerunspecified < 7.4.5affected
AtlassianConfluence Data Center7.5.0 < unspecifiedaffected
AtlassianConfluence Data Centerunspecified < 7.6.3affected
AtlassianConfluence Data Center7.7.0 < unspecifiedaffected
AtlassianConfluence Data Centerunspecified < 7.7.4affected

Weaknesses

  • Cross Site Scripting (XSS)

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References