Problem

We were able to identify some security vulnerabilities in our User Profiles for Confluence app.

The first two vulnerabilities appear in the User Profile Configuration views. JavaScript code can be injected into this views by two different ways. One allows any user to inject code via a reflected cross-site scripting attack to this view and the other one allows an stored cross-site scripting from an administrator to another administrator. The injected code would then be executed in the viewing user's context and allows to perform all actions in the user's scope.

The next two vulnerabilities requires the app Metadata for Confluence. Both vulnerabilities allows an administrator to inject JavaScript code into the advanced search page and each Confluence view which can render a macro of Metadata for Confluence.

The last vulnerability is as cross-site request forgery (XSRF) which could be used to force an administrator to create or delete an user profile element of User Profiles for Confluence.

Solution

If you are using the User Profiles for Confluence app in one of the affected versions until 3.3.5, please immediately update to User Profiles for Confluence 3.3.6.

Root Cause

For the first four vulnerabilities, because of incorrect escaping our app would render some information from Confluence or third party apps as HTML. This qualifies as cross-site scripting (XSS) vulnerability. The HTML code which might contain JavaScript will then be executed in the context of the user viewing the content. This kind of vulnerability could be exploited for different attacks, including an escalation of privileges. The last vulnerability is due to the lack of a XSRF security token.