Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Summary

XSRF vulnerabilities in User Profile Configuration of User Profiles for Confluence

Advisory Release Date

Product

User Profiles for Confluence

Affected User Profiles for Confluence Versions

all version until version 3.3.10

Fixed User Profiles for Confluence Version

3.3.11

Problem

We were able to identify some security vulnerabilities in our User Profiles for Confluence app.

These are cross-site request forgery (XSRF) vulnerabilities which could be used to force an administrator to:

  1. change the Company Chat App integration

  2. enable or disable login synchronization

  3. enable or disable Enhanced profile macro

  4. purge data for deleted and deactivated users

  5. change the Manager Configuration

  6. edit User Profile Picture

Solution

If you are using the User Profiles for Confluence app in one of the affected versions until 3.3.10, please immediately update to User Profiles for Confluence 3.3.11.

Root Cause

The vulnerabilities were caused due to the lack of a XSRF security token not being included in the requests mentioned above.

  • No labels