CVE-2016-6283 Atlassian CVE debrief

Who should care

Confluence administrators, application security teams, and any organization running Confluence 5.10.5 or earlier should care, especially if users can access attachment edit or rename workflows.

Technical summary

NVD classifies this as CWE-79 (cross-site scripting) with CVSS 3.0 vector CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The affected product scope in the NVD CPE data is Atlassian Confluence versions up to 5.10.5. The issue is triggered through the newFileName parameter to pages/doeditattachment.action, enabling script or HTML injection that can execute in a victim's browser when the malicious content is rendered in the Confluence context.

Defensive priority

Medium

Recommended defensive actions

• Upgrade Atlassian Confluence to 5.10.6 or later, as the CVE description states the issue affects versions before 5.10.6.
• Review and harden any input validation and output encoding around attachment edit and rename functionality, including the newFileName parameter path.
• Monitor Confluence logs and web access telemetry for unusual requests to pages/doeditattachment.action and related attachment-edit endpoints.
• Treat browser-side protections such as WAF rules as compensating controls only; they should not replace the product update.

Evidence notes

This debrief is based on the official CVE/NVD corpus supplied here. The CVE description states the flaw is a cross-site scripting vulnerability in Atlassian Confluence before 5.10.6 involving the newFileName parameter to pages/doeditattachment.action. NVD lists CWE-79 and CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, and the vulnerable CPE range ends at 5.10.5. NVD also references third-party advisories including Packet Storm, Full Disclosure, SecurityFocus, and Exploit-DB; those references are present as corroborating sources in the record.

Official resources