vulnerability

Atlassian Confluence: Improper Neutralization of Special Elements in Output Used by a DownstreamComponent ('Injection') (CVE-2023-22522)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
9	(AV:N/AC:L/Au:S/C:C/I:C/A:C)	12/06/2023	12/12/2023	01/28/2025

Severity

CVSS

(AV:N/AC:L/Au:S/C:C/I:C/A:C)

Published

12/06/2023

Added

12/12/2023

Modified

01/28/2025

Description

This Template Injection vulnerability allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page. Using this approach, an attacker is able to achieve Remote Code Execution (RCE) on an affected instance. Publicly accessible Confluence Data Center and Server versions as listed below are at risk and require immediate attention. See the advisory for additional details

Atlassian Cloud sites are not affected by this vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

Solution(s)

atlassian-confluence-upgrade-7_19_17atlassian-confluence-upgrade-8_4_5atlassian-confluence-upgrade-8_5_4atlassian-confluence-upgrade-8_6_2atlassian-confluence-upgrade-8_7_1

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today