Problem

We were able to identify a security vulnerability in our User Profiles for Confluence app. The vulnerability allows any logged-in user to inject JavaScript code into profile elements in their own profile, or other profiles that they are permitted to edit. The only affected element is “Position”. This malicious code would then be executed in the viewing user's context and allows to perform all actions in the user's scope. Affected views are

• the attackers profile page

• Confluence content controlled by the attacker

• the people directory

The vulnerability has been rated as P2 (High) according to the scale published under the Bugcrowd’s Vulnerability Rating Taxonomy (VRT).

This issue was discovered by an external security researcher on 06.10.2020. As soon as we were informed about the issue, we analyzed the codebase for similar vulnerabilities.

All versions of User Profiles for Confluence from version 3.2.0 until version 3.3.4 are affected by this vulnerability.

Solution

If you are using the User Profiles for Confluence app in one of the affected versions from 3.2.0 until 3.3.4, please immediately update to User Profiles for Confluence 3.3.5.

Root Cause

Due to an error with sanitizing inputs, users editing a profile could potentially inject malicious data into the profile of the element “Position” that would end up as HTML when displaying the profile. This qualifies as stored cross-site scripting (XSS) vulnerability. The HTML code will then be executed in the viewing user's context and would allow to load additional code from remote sites and run this in the user's context. This also allows for an escalation of privileges.
We have fixed the problematic code to prevent displaying such potentially harmful element values.