Problem

We were able to identify 2 security vulnerabilities in our User Profiles Profile for Confluence app. The first vulnerability vulnerabilities allows user to inject JavaScript code to be injected into the Mapping for LDAP Attribute(s) field in the editing dialog of any profile element. The injected code would then be executed when an LDAP synchronization would start.The next vulnerability allows JavaScript code to be injected into the Location of User Profile Picture
in the editing dialog of User Profile Picture – Synchronization profile element. Same as the first vulnerability, the injected code would then be executed when an LDAP synchronization would startinto user profile configuration advanced options page. The injection of JavaScript is possible for a privileged user who has permission to create or modify profile elements.

The vulnerability has been rated as P3 according to the scale published under the Bugcrowd’s Vulnerability Rating Taxonomy (VRT).

Solution

If you are using the User Profiles for Confluence app in one of the affected versions until 3.3.7, please immediately update to User Profiles for Confluence 3.3.8.

Root Cause

Due to error with sanitizing inputs, users editing the profile elements could potentially inject malicious data into the Mapping for LDAP Attribute(s) field and Location of User Profile Picture fieldBecause of incorrect escaping our app would render data provided by an attacker as HTML. This qualifies as stored cross-site scripting (XSS) vulnerability. The malicious HTML code which might contain JavaScript will then be executed when LDAP synchronization would be triggered.
We have fixed the problematic code to prevent displaying such potentially harmful element valuesin the context of the user viewing the content. This kind of vulnerability could be exploited for different attacks, including an escalation of privileges.