Confluence has been updated to version 6.15.9

Page tree
Skip to end of metadata
Go to start of metadata


Be carefull about potential SQL injections which can be passed along the where clause. Make sure that the database user as associated to the grid has restricted rights.


  • there is no possibility to pass extra sql query(s) through ``issue in grid("","")`` search function (e.g. ``issue in grid("familylist","1=1; delete table familylist")`` - is not possible) \\ (thus, only the injections within the where-clause and, thus in inner select is possible)
  • neither MySQL, nor Oracle, nor HSQL, nor PostgreSQL, MSSQL syntax permits any create, update or delete statements within a select query
  • there are possibilities to pass a hang-threatening query to the server (e.g. by running some huge calculation query - where clause permits math functions use)
  • there is an ability for a hacker to learn, what version and what type (mysql, hsql, postgres or oracle) is the grid database (by running server and version-specific queries)
  • there is an ability to make dump-files on the server, thus littering the server with those
  • a tablename can be brute-forced and thus some table data can be brute-forced


  • No labels