Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of this domain. Stored XSS can be found on this domain which allows an attacker to submit data to a form and escalate from no privileges to any user type, which could include an Administrator level user.

When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session.

Business Impact

Stored XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust.

Steps to Reproduce

1. Setup Confluence Cloud and install PlantUML, Swagger, drawio.xml, Mermaid, Markdown, HTML (Macro Pack) app.

2. Create a new page in any Confluence space:

   • Click Create button on the top bar, select Page.

   • Give the page a title.

3. Insert Macro Pack into the page with XSS payload:

   • Type /macro pack then select Macro Pack.

   • For the Source, select Text.

   • For the Source code, enter the following XSS payload: Not existing attachment: <img src onerror="alert('XSS! at '+origin)">

   • For the Input type, select anything e.g. AsciiDoc.

   • Click Insert button.

4. Publish the page.

5. Every time this page is opened and macro is loaded (it will take a while to load), an alert will pop up, confirming JavaScript is executed.