Bypassing XSS Protection in Confluence Server via HTML Include and Replace Macro Plugin

Bypassing XSS Protection in Confluence Server via HTML Include and Replace Macro Plugin

CVE-2019-15053 · MEDIUM Severity

AV:N/AC:M/AU:S/C:P/I:P/A:P

The "HTML Include and replace macro" plugin before 1.5.0 for Confluence Server allows a bypass of the includeScripts=false XSS protection mechanism via vectors involving an IFRAME element.

Learn more about our Cis Benchmark Audit For Server Software.