Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-21690

CVE-2024-21690: Confluence Data Center XSS Vulnerability

CVE-2024-21690 is a reflected XSS and CSRF flaw in Atlassian Confluence Data Center that lets unauthenticated attackers execute malicious code in victim browsers. This article covers technical details, affected versions, and fixes.

Published:

CVE-2024-21690 Overview

CVE-2024-21690 is a Reflected Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability in Atlassian Confluence Data Center and Server. The flaw allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code in a victim's browser. Attackers can also force authenticated users to perform unintended actions on the application. The vulnerability requires user interaction and was reported through the Atlassian Bug Bounty program. It maps to [CWE-79] Improper Neutralization of Input During Web Page Generation.

Critical Impact

An unauthenticated attacker can deliver a crafted link that executes script in an authenticated user's browser session, resulting in high confidentiality impact and low integrity impact through CSRF-driven actions.

Affected Products

  • Atlassian Confluence Data Center (versions 7.19.0 through 8.9.0 in affected branches)
  • Atlassian Confluence Server (versions 7.19.0 through 8.9.0 in affected branches)
  • Specifically affected releases: 7.19.0, 7.20.0, 8.0.0–8.9.0

Discovery Timeline

  • 2024-08-21 - CVE-2024-21690 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-21690

Vulnerability Analysis

The vulnerability combines two distinct web application weaknesses in Confluence Data Center and Server. Reflected XSS occurs when user-supplied input is returned in an HTTP response without proper sanitization or output encoding. CSRF allows an attacker-controlled web page to issue state-changing requests using the victim's authenticated session cookies. Chaining these flaws enables an unauthenticated attacker to coerce a logged-in user into executing attacker-controlled actions inside Confluence. The attack succeeds when an authenticated Confluence user clicks a crafted link or visits a malicious page. EPSS data places the probability of exploitation at 0.712%, indicating active interest from threat actors targeting Confluence deployments.

Root Cause

The root cause is improper neutralization of input during web page generation [CWE-79]. A Confluence endpoint reflects attacker-supplied parameters into the response without sufficient encoding. The same request flow also lacks adequate CSRF protections, allowing cross-origin invocation. Together, these gaps allow script execution in the authenticated user's browser context.

Attack Vector

The attack is network-based and requires user interaction. The attacker crafts a URL or HTML payload that, when loaded by an authenticated Confluence user, triggers script execution in that user's session. The script can exfiltrate session tokens, read sensitive Confluence content, or invoke privileged actions through CSRF. No prior authentication is needed on the attacker's side.

No verified public proof-of-concept code is currently available for this vulnerability. Refer to the Atlassian Confluence Security Advisory and Atlassian Jira Issue CONFSERVER-97720 for vendor technical details.

Detection Methods for CVE-2024-21690

Indicators of Compromise

  • Inbound HTTP requests to Confluence endpoints containing reflected <script>, javascript:, onerror=, or onload= payloads in query parameters or POST bodies.
  • Referer headers from external domains pointing to Confluence URLs with unusual or encoded parameter content.
  • Unexpected outbound HTTP requests from authenticated user sessions immediately after clicking external links.
  • Anomalous Confluence audit log entries for actions performed by users who did not initiate them through the UI.

Detection Strategies

  • Inspect web server and reverse proxy logs for HTML or JavaScript metacharacters in Confluence request parameters.
  • Deploy Web Application Firewall (WAF) signatures targeting reflected XSS patterns directed at Confluence URIs.
  • Correlate authentication events with subsequent state-changing API calls to detect session abuse following link-clicks.
  • Monitor for browser console errors or Content Security Policy (CSP) violations originating from Confluence pages.

Monitoring Recommendations

  • Enable verbose access logging on Confluence and forward logs to a centralized analytics platform for retroactive search.
  • Alert on requests to Confluence that contain encoded script payloads such as %3Cscript%3E or %6A%61%76%61%73%63%72%69%70%74.
  • Track CSRF token validation failures and unexpected referrer anomalies on administrative endpoints.
  • Review Confluence audit logs daily for privileged actions taken from unexpected source IPs or user agents.

How to Mitigate CVE-2024-21690

Immediate Actions Required

  • Upgrade Confluence Data Center and Server to the latest available release as recommended by Atlassian.
  • For the 7.19 branch, upgrade to 7.19.26 or later; for the 8.5 branch, upgrade to 8.5.14 or later; for the 9.0 branch, upgrade to 9.0.1 or later.
  • Inventory all internet-exposed Confluence instances and prioritize those reachable from untrusted networks.
  • Rotate session tokens and review audit logs for suspicious activity prior to patching.

Patch Information

Atlassian has released fixed versions addressing CVE-2024-21690. Customers should consult the Confluence Release Notes and download fixed builds from the Atlassian Download Archives. The vendor advisory is published at the Atlassian Confluence Security Page.

Workarounds

  • Restrict Confluence access to trusted networks via VPN or IP allowlisting where upgrade is not immediately possible.
  • Deploy WAF rules that block script payloads in query strings targeting Confluence endpoints.
  • Educate users to avoid clicking unverified links that point to internal Confluence URLs containing unusual parameters.
  • Enforce a strict Content Security Policy at the reverse proxy layer to limit inline script execution.
bash
# Example reverse-proxy header hardening for Confluence (nginx)
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'self';" always;

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne