Vulnerability notification 3: User Profiles for Confluence

Summary

JavaScript code can be injected into User Profile Configuration Advanced Options page.

Advisory Release Date

04 December 2020 

Product

User Profiles for Confluence

Affected User Profiles for Confluence Versions

all version until version 3.3.7

Fixed User Profiles for Confluence Version

3.3.8

Problem

We were able to identify security vulnerabilities in our User Profile for Confluence app. The vulnerabilities allows user to inject JavaScript code into user profile configuration advanced options page. The injection of JavaScript is possible for a privileged user who has permission to create or modify profile elements.

The vulnerability has been rated as P3 according to the scale published under the Bugcrowd’s Vulnerability Rating Taxonomy (VRT).

Solution

If you are using the User Profiles for Confluence app in one of the affected versions until 3.3.7, please immediately update to User Profiles for Confluence 3.3.8.

Root Cause

Because of incorrect escaping our app would render data provided by an attacker as HTML. This qualifies as cross-site scripting (XSS) vulnerability. The HTML code which might contain JavaScript will then be executed in the context of the user viewing the content. This kind of vulnerability could be exploited for different attacks, including an escalation of privileges.