Summary | XSRF vulnerabilities in User Profile Configuration of User Profiles for Confluence |
|---|---|
Advisory Release Date | 30 September 2021 |
Product | User Profiles for Confluence |
Affected User Profiles for Confluence Versions | all version until version 3.3.10 |
Fixed User Profiles for Confluence Version | 3.3.11 |
Problem
We were able to identify some security vulnerabilities in our User Profiles for Confluence app.
These are cross-site request forgery (XSRF) vulnerabilities which could be used to force an administrator to:
change the Company Chat App integration
enable or disable login synchronization
enable or disable Enhanced profile macro
purge data for deleted and deactivated users
change the Manager Configuration
edit User Profile Picture
The vulnerabilities have been rated as P3 (Medium) according to the scale published under the Bugcrowd’s Vulnerability Rating Taxonomy (VRT).
All user Profiles for Confluence versions until 3.3.10 are affected.
Solution
If you are using the User Profiles for Confluence app in one of the affected versions until 3.3.10, please immediately update to User Profiles for Confluence 3.3.11.
Root Cause
The vulnerabilities were caused due to the lack of a XSRF security token not being included in the requests mentioned above.