[CONFSERVER-43162] XSS in newFileName Field

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 5.10.6
Affects Version/s: 5.9.12
Component/s: Content - Attachments
Labels:

Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

From an external report:

Confluence recently has been tested and, as a result, we were able to verify the existence of at least one persistent XSS vulnerability. This vulnerability is present in the Edit Attachment feature — specifically in the newFileName field — accessible through the following URL:
https://confluence/pages/editattachment.action
As a means to prove the concept proposed by this issue, we added the value "<script>alert(1)</script>file" (without quotes) in the newFileName field. Such as described in the image named xss.png (attached).
After the aforementioned insertion, the script executes successfully whenever a user visits the vulnerable page, which in turn, is available at:
https://confluence/dosearchsite.action?queryString="
As can be seen in the images named xss1.png and xss2.png (attached).

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

confluence-search-2.3.13-SNAPSHOT.jar
157 kB
19/Jul/2016 6:22 AM
xss.png
33 kB
18/Jul/2016 4:50 PM
xss1.png
66 kB
18/Jul/2016 4:50 PM
xss2.png
91 kB
18/Jul/2016 4:50 PM

relates to

CONFSERVER-43341 Inconsistent escaping returned by Confluence Search

Closed

links to

http://seclists.org/fulldisclosure/2017/Jan/3

Form Name

Ashley Blackmore added a comment - 07/Jul/2016 9:53 PM - edited

CVSS v3 score: 6.3 => Medium severity

Exploitability Metrics

Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User Interaction	Required

Scope Metric

Scope	Unchanged

Impact Metrics

Confidentiality	Low
Integrity	Low
Availability	Low

Ashley Blackmore added a comment - 07/Jul/2016 9:53 PM - edited CVSS v3 score: 6.3 => Medium severity Exploitability Metrics Attack Vector Network Attack Complexity Low Privileges Required None User Interaction Required Scope Metric Scope Unchanged Impact Metrics Confidentiality Low Integrity Low Availability Low

Assignee:: Feng Xu (Inactive)

Reporter:: Jodson Santos

Affected customers:: 0 This affects my team

Watchers:: 5 Start watching this issue

Created:: 07/Jul/2016 9:52 PM

Updated:: 11/Oct/2018 8:48 AM

Resolved:: 28/Aug/2016 11:06 PM

Details

Description

Attachments

Attachments

Issue Links

Forms

Activity

Collapse comment: Ashley Blackmore added a comment - 07/Jul/2016 9:53 PM, Edited by David Black - 05/Jan/2017 9:48 PM

Expand comment: Ashley Blackmore added a comment - 07/Jul/2016 9:53 PM, Edited by David Black - 05/Jan/2017 9:48 PM

People

Dates