Vulnerability notification 3: User Profiles for Confluence
Summary | JavaScript code can be injected into User Profile Configuration Advanced Options page. |
---|---|
Advisory Release Date | 04 December 2020Â |
Product | User Profiles for Confluence |
Affected User Profiles for Confluence Versions | all version until version 3.3.7 |
Fixed User Profiles for Confluence Version | 3.3.8 |
Problem
We were able to identify security vulnerabilities in our User Profile for Confluence app. The vulnerabilities allows user to inject JavaScript code into user profile configuration advanced options page. The injection of JavaScript is possible for a privileged user who has permission to create or modify profile elements.
The vulnerability has been rated as P3 according to the scale published under the Bugcrowd’s Vulnerability Rating Taxonomy (VRT).
Solution
If you are using the User Profiles for Confluence app in one of the affected versions until 3.3.7, please immediately update to User Profiles for Confluence 3.3.8.
Root Cause
Because of incorrect escaping our app would render data provided by an attacker as HTML. This qualifies as cross-site scripting (XSS) vulnerability. The HTML code which might contain JavaScript will then be executed in the context of the user viewing the content. This kind of vulnerability could be exploited for different attacks, including an escalation of privileges.