Uploaded image for project: 'Confluence Cloud'
  1. Confluence Cloud
  2. CONFCLOUD-54230

CSRF in gadgets plugin

    XMLWordPrintable

Details

    Description

      The affected methods are:

      AddOrRemoveGadgetSpecAction, doAdd
      AddOrRemoveGadgetSpecAction, doRemove
      AddOrRemoveGadgetFeedAction, doAddGadgetFeed
      AddOrRemoveGadgetFeedAction, doRemoveGadgetFeed
      WhitelistAdminAction, doAddWhitelistUrl
      WhitelistAdminAction, doRemoveWhitelistUrl
      RevokeOAuthTokensAction, execute

      I'm proposing to leave the RevokeOAuthTokensAction unprotected, as the impact of a successful attack seems low, the difficulty of attack seems high (requires a token to be known), and it's a little more inconvenient to fix (I believe the JS in the atlassian-oauth repository would need to be changed.)

      Attachments

        Activity

          People

            djohnson@atlassian.com Dougall Johnson
            djohnson@atlassian.com Dougall Johnson
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: