What is the severity of CVE-2024-21690?

CVE-2024-21690 has a high severity rating due to its potential for enabling both reflected XSS and CSRF attacks.

How do I fix CVE-2024-21690?

To mitigate CVE-2024-21690, upgrade your Atlassian Confluence Data Center and Server to a version beyond 8.9.0 where this vulnerability is resolved.

What versions of Confluence are affected by CVE-2024-21690?

CVE-2024-21690 affects Confluence Data Center and Server versions from 7.19.0 to 8.9.0.

What types of attacks does CVE-2024-21690 enable?

CVE-2024-21690 enables reflected cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.

Is CVE-2024-21690 being actively exploited?

As of the last reports, CVE-2024-21690 is recognized as a critical vulnerability, and organizations are urged to address it promptly to prevent potential exploitation.

Vulnerability/
CVE-2024-21690

high

7.1

CWE

79 352

21/8/2024

6/11/2024

CVE-2024-21690: XSS

First published: Wed Aug 21 2024(Updated: )

This High severity Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability was introduced in versions 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.1, 8.8.0, and 8.9.0 of Confluence Data Center and Server. This Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability, with a CVSS Score of 7.1, allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser and force a end user to execute unwanted actions on a web application in which they're currently authenticated which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.26 * Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.14 * Confluence Data Center and Server 9.0: Upgrade to a release greater than or equal to 9.0.1 See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives). This vulnerability was reported via our Bug Bounty program.

Credit: security@atlassian.com

Affected Software	Affected Version	How to fix
Atlassian Confluence Server and Data Center	>=7.19.0<=8.9.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-21690?
CVE-2024-21690 has a high severity rating due to its potential for enabling both reflected XSS and CSRF attacks.
How do I fix CVE-2024-21690?
To mitigate CVE-2024-21690, upgrade your Atlassian Confluence Data Center and Server to a version beyond 8.9.0 where this vulnerability is resolved.
What versions of Confluence are affected by CVE-2024-21690?
CVE-2024-21690 affects Confluence Data Center and Server versions from 7.19.0 to 8.9.0.
What types of attacks does CVE-2024-21690 enable?
CVE-2024-21690 enables reflected cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.
Is CVE-2024-21690 being actively exploited?
As of the last reports, CVE-2024-21690 is recognized as a critical vulnerability, and organizations are urged to address it promptly to prevent potential exploitation.

agent/references
agent/description
agent/type
agent/first-publish-date
agent/severity
agent/author
agent/weakness
collector/mitre-cve
source/MITRE
collector/nvd-api
source/NVD
agent/last-modified-date
agent/event
agent/source
agent/softwarecombine
agent/tags
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
vendor/atlassian
canonical/atlassian confluence server and data center