We were made aware of a potential XSS exploit where a user could use the iframe macro to inject a lookalike website into a Confluence instance.
This attack is limited to the content of the iframe and as the browsers same origin policy will still applied, any attempt to steal credentials will require a further exploit.
According to Atlassian's security severity levels this bug is ranked as Medium.
This vulnerability affects all previous versions of the app.
How to fix the vulnerability
This vulnerability can be fixed by upgrading Content Formatting 6.3.1 or above. Full instructions on how to upgrade an app can be found on Atlassian's support page. Once you've upgraded, a new feature will be available to you in the Confluence app/add-on menu, entitled the iframe configuration menu.
This new feature will automatically sandbox all iframe macros in your instance and will provide you the ability to allow, sandbox or deny iframes in your instance according to your internal security policy.
More information can be found in our documentation.
If you have urgent questions please contact our support team.