CVE-2020-36290: 
Confluence Server vulnerability analysis and mitigation

The Livesearch macro in Confluence Server and Data Center contained a cross-site scripting (XSS) vulnerability tracked as CVE-2020-36290. The vulnerability affected versions before 7.4.5, versions 7.5.0 to 7.6.3, and versions 7.7.0 to 7.7.4. This security issue was discovered in July 2020 and publicly disclosed in July 2022 (NVD, Atlassian).

The vulnerability is a stored XSS issue in the page excerpt functionality of the Livesearch macro. It received a CVSS v3.1 score of 5.4 (Medium severity), indicating moderate impact. The vulnerability is classified as CWE-79 (Cross-site Scripting) and requires an authenticated user with page or blog editing permissions to exploit (NVD).

When successfully exploited, the vulnerability allows attackers with page or blog editing permissions to inject arbitrary HTML or JavaScript code that would execute in victims' browsers. This could potentially lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected user's session (CVE).

Atlassian addressed this vulnerability by releasing fixed versions: 7.4.5, 7.6.3, and 7.7.4. Users of affected versions are advised to upgrade to the nearest fixed version appropriate for their installation (Atlassian).