Summary | JavaScript code can be injected into the User Profile Configuration to the Mapping for LDAP Attribute(s) field and to the field of Location of User Profile Picture when editing User Profile Picture – Synchronization |
|---|---|
Advisory Release Date | 04 December 2020 |
Product | User Profiles for Confluence |
Affected User Profiles for Confluence Versions | all version until version 3.3.7 |
Fixed User Profiles for Confluence Version | 3.3.8 |
Problem
We were able to identify 2 security vulnerabilities in our User Profiles for Confluence app.
The first vulnerability allows JavaScript code to be injected into the Mapping for LDAP Attribute(s) field in the editing dialog of any profile element. The injected code would then be executed when an LDAP synchronization would start.
The next vulnerability allows JavaScript code to be injected into the Location of User Profile Picture
in the editing dialog of User Profile Picture – Synchronization profile element. Same as the first vulnerability, the injected code would then be executed when an LDAP synchronization would start.
Solution
If you are using the User Profiles for Confluence app in one of the affected versions until 3.3.7, please immediately update to User Profiles for Confluence 3.3.8.
Root Cause
Due to error with sanitizing inputs, users editing the profile elements could potentially inject malicious data into the Mapping for LDAP Attribute(s) field and Location of User Profile Picture field. This qualifies as stored cross-site scripting (XSS) vulnerability. The malicious code will then be executed when LDAP synchronization would be triggered.
We have fixed the problematic code to prevent displaying such potentially harmful element values.