[CONFSERVER-20865] XSS vulnerability in space key, particularly with decorators off

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 5.2
Affects Version/s: 3.1, 3.5.13, 5.1-OD-4
Component/s: None
Labels:
- affects-cloud
- affects-server
- bf_triage
- cvss-high
- loyalty
- security
- spaces
- verified

CVSS Score:
6
Bug Fix Policy:
View Atlassian Server bug fix policy

NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.

As discovered while looking at CONF-20667, Confluence stores the space key unencoded in a content tag. Considerable functionality relies on this content tag. Eg Doc Theme breaks without it. Themes choice breaks without it.

To exploit it, create a user with html in the login name, then create a personal space as that user. Finally, use a decorator=none request param when viewing a page to see the content tags.

There are actually a few places that the space key isn't encoded, so removing the ability to pass "decorator=none" is probably not a complete fix.

relates to

CONFCLOUD-20865 XSS vulnerability in space key, particularly with decorators off

Closed

causes: SCT-64 Failed to load

mentioned in: Wiki Page Failed to load; Wiki Page Failed to load

Form Name

Assignee:: Chii (Inactive)

Reporter:: Don Willis

Affected customers:: 0 This affects my team

Watchers:: 6 Start watching this issue

Created:: 23/Sep/2010 1:06 AM

Updated:: 12/Sep/2019 7:26 AM

Resolved:: 18/Jul/2013 11:31 PM

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates