-
Bug
-
Resolution: Fixed
-
Medium
-
None
-
7.5
-
Scope of this issue is to address two specific XSS vulnerabilies. The scope of fixing i18n parameters is tracked elsewhere. Please see the comment below for details.
(Original Description)
The ConfluenceActionSupport.getText method is annotated with @HtmlSafe, forcing the Velocity engine to skip HTML encoding of the methods response. The responsibility of HTML encoding is therefore placed on the caller.
There appears to be a common vulnerability in several velocity templates, that take a user controlled variable and pass it as an argument to the getText method without encoding, leading to XSS vulnerabilities.
Two such examples are:
Managereferrers.vm
#if ($justAdded) #applyDecorator("warning" "") $action.getText("added.exclusion.feedback", [$justAdded, "$req.contextPath/admin/purgesinglereferrer.action?referrer=$justAdded", "$req.contextPath/admin/purgereferrers.action"]) #end #end
Importword.vm
<fieldset class="group"> <legend><span>$action.getText("office.connector.docimport.whereto"):</span></legend> <div class="radio"> <input type="radio" id="newpage" class="radio flip-delete" name="importSpace" value="true" checked> <label for="newpage">$action.getText("office.connector.docimport.whereto.space", [$pageTitle])</label> </div> <div class="radio"> <input type="radio" id="overwritepage" class="radio flip-delete" name="importSpace" value="false"> <label for="overwritepage">$action.getText("office.connector.docimport.whereto.page", [$pageTitle])</label> </div> <div class="checkbox" id="deletealldiv"> <input class="delete-all checkbox" type="checkbox" id="deleteall" name="overwriteAll" value="true" disabled> <label for="deleteall" id="deletealllabel" class="cannot-execute">$action.getText("office.connector.docimport.whereto.delete", [$pageTitle])<label> </div> </fieldset>
It's recommended all callers of the getText() method require HTML encoding of user controlled parameters.
- mentioned in
-
Wiki Page Failed to load
[CONFCLOUD-54069] Fix XSS vulnerabilities in managereferrers.vm and importword.vm
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2370458 ] | New: JAC Bug Workflow v3 [ 3414606 ] |
| Status | Original: Resolved [ 5 ] | New: Closed [ 6 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 [ 2251293 ] | New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2370458 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2205665 ] | New: Confluence Workflow - Public Facing - Restricted v5 [ 2251293 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2147424 ] | New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2205665 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v5 [ 1908773 ] | New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2147424 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v3 [ 1734688 ] | New: Confluence Workflow - Public Facing - Restricted v5 [ 1908773 ] |
| Fix Version/s | New: 5.1.1 [ 67673 ] | |
| Fix Version/s | Original: 5.1.1 [ 32106 ] | |
| Key |
Original:
|
New:
|
| Affects Version/s | New: 5.0-OD-17 [ 67648 ] | |
| Affects Version/s | Original: 5.0-OD-17 [ 29493 ] | |
| Project | Original: Confluence [ 10470 ] | New: Confluence [ 18513 ] |
| Workflow | Original: CONF Bug Subtask WF (TEMP) [ 1685566 ] | New: Confluence Workflow - Public Facing - Restricted v3 [ 1734688 ] |
| Workflow | Original: Confluence Workflow - Public Facing - Restricted v2 [ 1569061 ] | New: CONF Bug Subtask WF (TEMP) [ 1685566 ] |
| Labels | Original: advisory cvss-high editor hedge_bugfix security to_fix_workflow | New: advisory affects-cloud cvss-high editor hedge_bugfix security to_fix_workflow |
