Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-15754

Jiraissues add icon mapping configuration is susceptible to XSS

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: High High
    • 3.0
    • 2.10
    • None

    • QA-CAC: 3.0-beta2-r3

      Combined with XSRF susceptibility via CONF-15753; you can craft an attack to get elevated privileges in Confluence.

          Form Name

            [CONFSERVER-15754] Jiraissues add icon mapping configuration is susceptible to XSS

            Paul Curren added a comment - - edited

            To fix this vulnerability in Confluence 2.10 please install version 2.8.13 of the JIRA plugin for Confluence.

            This can be manually downloaded and installed from here. Alternatively you can upgrade via the plugin repository client embedded in Confluence.

            Paul Curren added a comment - - edited To fix this vulnerability in Confluence 2.10 please install version 2.8.13 of the JIRA plugin for Confluence. This can be manually downloaded and installed from here . Alternatively you can upgrade via the plugin repository client embedded in Confluence.

            PdZ (Inactive) added a comment -

            Confirmed that the original fix and subsequent fix for when a XSRF token is not supplied operate as expected.

            PdZ (Inactive) added a comment - Confirmed that the original fix and subsequent fix for when a XSRF token is not supplied operate as expected.

            AudraA added a comment -

            should be fixed in 3.0?? or at the latest 3.0.1

            AudraA added a comment - should be fixed in 3.0?? or at the latest 3.0.1

            PdZ (Inactive) added a comment -

            Bumped up to critical.

            PdZ (Inactive) added a comment - Bumped up to critical.

            PdZ (Inactive) added a comment -

            I'm going to have to reopen this one guys, and it is a bit more sinister than it was before.

            When the XSRF token is not supplied, the literal text of the jiraEntityName & iconFilename are used as default form inputs. You can escape from the attribute that they are specified in quite trivially:

            /admin/addiconmapping.action?jiraEntityName=%22%3EXSS%20goes%20here

            So at the moment, the XSRF token (lack thereof) allows for an XSS attack:

            PdZ (Inactive) added a comment - I'm going to have to reopen this one guys, and it is a bit more sinister than it was before. When the XSRF token is not supplied, the literal text of the jiraEntityName & iconFilename are used as default form inputs. You can escape from the attribute that they are specified in quite trivially: /admin/addiconmapping.action?jiraEntityName=%22%3EXSS%20goes%20here So at the moment, the XSRF token (lack thereof) allows for an XSS attack:

            Paul Curren added a comment -

            Reviewed in http://developer.atlassian.com/jira/browse/CONFJIRA-152

            Paul Curren added a comment - Reviewed in http://developer.atlassian.com/jira/browse/CONFJIRA-152

            Paul Curren added a comment -

            Raised at http://developer.atlassian.com/jira/browse/CONFJIRA-152

            Paul Curren added a comment - Raised at http://developer.atlassian.com/jira/browse/CONFJIRA-152

            Paul Curren added a comment -

            You're right, although if you are a Confluence admin already (so able to access that action) there's quite a lot of evil you can do.

            I'm lowering the priority since it relies on your confadmins not being trusted.

            Paul Curren added a comment - You're right, although if you are a Confluence admin already (so able to access that action) there's quite a lot of evil you can do. I'm lowering the priority since it relies on your confadmins not being trusted.

              pcurren Paul Curren
              pdzwart PdZ (Inactive)
              Affected customers:
              0 This affects my team
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: