Details
-
Bug
-
Resolution: Fixed
-
Medium
-
5.9.11, 5.8.18, 5.7.6
-
1
-
Severity 2 - Major
-
Description
Steps to Reproduce:
- In Confluence, visit the "My Profile" page (<confluence-url>/users/viewuserprofile.action)
- Click "Edit Profile"
- Note that no atl_token is present in the URL.
- Click "Settings" (<confluence-url>/users/viewmysettings.action)
- Click "Edit"
- Note that the atl_token value is present in the URL.
Cause
Some forms are rendered as having the method GET rather than the method POST
Security implications
It is only an exploitable security issue if an attacker can get somehow get a resource that includes the token in the URL to access one of their resources or similar such that the referer of the request contains the csrf token.
Attachments
Issue Links
- is related to
-
JRASERVER-61250 JIRA puts a user's XSRF token in various resources.
- Gathering Impact