NVD Vulnerability Detail

CVE-2024-21690

Summary	This High severity Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability was introduced in versions 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.1, 8.8.0, and 8.9.0 of Confluence Data Center and Server. This Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability, with a CVSS Score of 7.1, allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser and force a end user to execute unwanted actions on a web application in which they're currently authenticated which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.26 * Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.14 * Confluence Data Center and Server 9.0: Upgrade to a release greater than or equal to 9.0.1 See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives). This vulnerability was reported via our Bug Bounty program.
Publication Date	Aug. 22, 2024, 1:15 a.m.
Registration Date	Aug. 26, 2024, 4:58 p.m.
Last Update	Nov. 7, 2024, 4:35 a.m.

Related information, measures and tools

No	URL	refsource	タグ
1	https://confluence.atlassian.com/pages/viewpage.action?pageId=1431535667
2	https://jira.atlassian.com/browse/CONFSERVER-97720

Common Vulnerabilities List

JVN Vulnerability Information

Atlassian の Confluence Data Center および Confluence Server におけるクロスサイトスクリプティングの脆弱性

Title	Atlassian の Confluence Data Center および Confluence Server におけるクロスサイトスクリプティングの脆弱性
Summary	Atlassian の Confluence Data Center および Confluence Server には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	情報を取得される、および情報を改ざんされる可能性があります。
Solution	ベンダアドバイザリまたはパッチ情報が公開されています。参考情報を参照して適切な対策を実施してください。
Publication Date	Aug. 21, 2024, midnight
Registration Date	July 31, 2025, 11:37 a.m.
Last Update	July 31, 2025, 11:37 a.m.

Affected System

Atlassian

Confluence Data Center 7.19.0 から 7.19.25

Confluence Data Center 7.20.0 から 7.20.3

Confluence Data Center 8.0.0 から 8.0.4

Confluence Data Center 8.1.0 から 8.1.4

Confluence Data Center 8.2.0 から 8.2.3

Confluence Data Center 8.3.0 から 8.3.4

Confluence Data Center 8.4.0 から 8.4.5

Confluence Data Center 8.5.0 から 8.5.12

Confluence Data Center 8.6.0 から 8.6.2

Confluence Data Center 8.7.1 から 8.7.2

Confluence Data Center 8.8.0 から 8.8.1

Confluence Data Center 8.9.0 から 8.9.4

Confluence Server 7.19.0 から 7.19.25

Confluence Server 7.20.0 から 7.20.3

Confluence Server 8.0.0 から 8.0.4

Confluence Server 8.1.0 から 8.1.4

Confluence Server 8.2.0 から 8.2.3

Confluence Server 8.3.0 から 8.3.4

Confluence Server 8.4.0 から 8.4.5

Confluence Server 8.5.0 から 8.5.12

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2024-21690	https://www.cve.org/CVERecord?id=CVE-2024-21690
National Vulnerability Database (NVD)
2	CVE-2024-21690	https://nvd.nist.gov/vuln/detail/CVE-2024-21690

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

その他

No	Name	URL
関連文書
1	confluence.atlassian.com (viewpage.action?pageId=1431535667)	https://confluence.atlassian.com/pages/viewpage.action?pageId=1431535667
2	jira.atlassian.com (CONFSERVER-97720)	https://jira.atlassian.com/browse/CONFSERVER-97720

Change Log

No	Changed Details	Date of change
1	[2025年07月31日] 掲載	July 31, 2025, 11:37 a.m.