Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-22479

XSS vulnerability in doeditmysettings.action

XMLWordPrintable

      This vulnerability affects all versions from 3.5 and above.

      We have identified and fixed a cross-site scripting (XSS) vulnerability in the Confluence settings editing action.

      XSS vulnerabilities potentially allow an attacker to embed their own JavaScript into a Confluence page. You can read more about XSS attacks at various places on the web, including these:

      This issue is reported in our security advisory on this page:
      https://confluence.atlassian.com/x/aAI5Dg

        1. CONF-22479_patch.zip
          105 kB

            [CONFSERVER-22479] XSS vulnerability in doeditmysettings.action

            VitalyA added a comment -

            On a further review by Confluence development team it has been discovered that while the root cause of the bug is present in code since version 2.7, it is only exploitable in 3.5 and above. I have changed the affected version.

            We apologise for the inconvenience and will try our best (and even better) to avoid misinforming you in the future.

            We still recommend you to upgrade to the latest version available.

            VitalyA added a comment - On a further review by Confluence development team it has been discovered that while the root cause of the bug is present in code since version 2.7, it is only exploitable in 3.5 and above. I have changed the affected version. We apologise for the inconvenience and will try our best (and even better) to avoid misinforming you in the future. We still recommend you to upgrade to the latest version available.

            VitalyA added a comment -

            Hi Doods,

            Do you have a security team or anything like that? If your instance is not on the Internet, then most of the issues in the past year or two are not of a huge impact. If it is on the Internet then it either had been or is going to be compromised any time. We do not patch unsupported versions and even in otherwise supported versions we issue security patches only the last two major releases, see the security patch policy link above. I doubt your version had been patched with respect to most of the last year's vulnerabilities. Please review the list of advisories at the end of this page - http://confluence.atlassian.com/display/DOC/Confluence+Security

            You should re-examine your position on risks posed by this and other vulnerabilities in your specific case. The severity ratings in our advisories are for the worst case scenario.

            Regards,
            Vitaly

            VitalyA added a comment - Hi Doods, Do you have a security team or anything like that? If your instance is not on the Internet, then most of the issues in the past year or two are not of a huge impact. If it is on the Internet then it either had been or is going to be compromised any time. We do not patch unsupported versions and even in otherwise supported versions we issue security patches only the last two major releases, see the security patch policy link above. I doubt your version had been patched with respect to most of the last year's vulnerabilities. Please review the list of advisories at the end of this page - http://confluence.atlassian.com/display/DOC/Confluence+Security You should re-examine your position on risks posed by this and other vulnerabilities in your specific case . The severity ratings in our advisories are for the worst case scenario. Regards, Vitaly

            Charley Delaney added a comment -

            Just to clarify, in 2.x this is the editmyprofile.action page, correct?

            Charley Delaney added a comment - Just to clarify, in 2.x this is the editmyprofile.action page, correct?

            Doods Perea added a comment -

            Hi Vitaly - we have religiously followed and implemented your patches for every Atlassian announced system vulnerability so we believe our Confluence 2.10.3 system, though old, is relatively safe. We cannot upgrade this system at the moment (we have another Production system running version 3.4.6) due to several "custom" features that we cannot have in the new version.

            What is our alternative?

            Thanks,
            Doods

            Doods Perea added a comment - Hi Vitaly - we have religiously followed and implemented your patches for every Atlassian announced system vulnerability so we believe our Confluence 2.10.3 system, though old, is relatively safe. We cannot upgrade this system at the moment (we have another Production system running version 3.4.6) due to several "custom" features that we cannot have in the new version. What is our alternative? Thanks, Doods

            VitalyA added a comment -

            Hi Kan,

            Your version is 2 major releases old and probably has a number of other vulnerabilities. Please consider upgrading and raise a support ticket if you are having problems.

            Our security patch policy is at http://confluence.atlassian.com/display/SUPPORT/Security+Patch+Policy.

            VitalyA added a comment - Hi Kan, Your version is 2 major releases old and probably has a number of other vulnerabilities. Please consider upgrading and raise a support ticket if you are having problems. Our security patch policy is at http://confluence.atlassian.com/display/SUPPORT/Security+Patch+Policy .

            Kan Ogawa added a comment -

            Hi,

            I want the patch for 3.3 version. When will it be uploaded?

            Kan Ogawa added a comment - Hi, I want the patch for 3.3 version. When will it be uploaded?

            VitalyA added a comment -

            The patch is only for 3.4. Version 2.10 is very old and has a large number of other vulnerabilities, some are of higher impact than this one. Please upgrade if you can.

            VitalyA added a comment - The patch is only for 3.4. Version 2.10 is very old and has a large number of other vulnerabilities, some are of higher impact than this one. Please upgrade if you can.

            Doods Perea added a comment -

            Does this fix apply to 2.10.x installation too?

            Doods Perea added a comment - Does this fix apply to 2.10.x installation too?

            VitalyA added a comment - - edited

            02 June 2011 - This patch is no longer required, see below for explanation

            Patch uploaded for 3.4. Instructions for installation:

            • Shutdown your Confluence instance.
            • Copy the zip file into your Confluence installation folder and unzip it.
            • Check the following files were created:
              • confluence/WEB-INF/classes/com/atlassian/confluence/core/ConfluenceActionSupport.properties
              • confluence/WEB-INF/classes/com/atlassian/confluence/languages/DefaultLocaleManager.class
              • confluence/WEB-INF/classes/com/atlassian/confluence/user/actions/EditMySettingsAction.class
            • Restart your instance.

            VitalyA added a comment - - edited 02 June 2011 - This patch is no longer required, see below for explanation Patch uploaded for 3.4. Instructions for installation: Shutdown your Confluence instance. Copy the zip file into your Confluence installation folder and unzip it. Check the following files were created: confluence/WEB-INF/classes/com/atlassian/confluence/core/ConfluenceActionSupport.properties confluence/WEB-INF/classes/com/atlassian/confluence/languages/DefaultLocaleManager.class confluence/WEB-INF/classes/com/atlassian/confluence/user/actions/EditMySettingsAction.class Restart your instance.

              vosipov VitalyA
              pwatson paulwatson (Inactive)
              Affected customers:
              0 This affects my team
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: