Vulnerability notification 6: User Profiles for Confluence
Summary | XSS vulnerability in User Profiles for Confluence |
|---|---|
Advisory Release Date | 20 August 2025 |
Product | User Profiles for Confluence |
Affected User Profiles for Confluence Versions |
|
Fixed User Profiles for Confluence Version | 3.4.8 - supports Confluence 8 Versions of our app supporting Confluence 10+ are not affected |
Problem
We were able to identify a security vulnerability in our User Profiles for Confluence app.
The vulnerability allows attackers to inject JavaScript code into different pages. The attackers do not need to be logged in for the attack and do not require privileged access to Confluence.
The affected pages are
user profile pages
any page displaying the profile list macro and the org chart macros
Solution
If you are using the User Profiles for Confluence app in one of the affected versions, please immediately update to latest version of User Profiles for Confluence that supports your version of Confluence. For details, please see the table at the beginning of this post.
Root Cause
Because of incorrect escaping of output, our app renders data provided by an attacker as HTML. This qualifies as cross-site scripting (XSS) vulnerability. The HTML code which might contain JavaScript will then be executed in the context of the user viewing the content. This kind of vulnerability could be exploited for different attacks, including an escalation of privileges.