Uploaded image for project: 'Confluence Cloud'
  1. Confluence Cloud
  2. CONFCLOUD-25873 Various persistent-xss vulnerabilities in attachment downloads
  3. CONFCLOUD-25488

persistent xss through svg file attachment download

XMLWordPrintable

      The fix for CONF-22132 was not sufficient because "svg" files are not "said" to be xml by the isXml() method. This means that is possible for a malicious party to upload a svg file containing html/javascript which will be rendered in victim's web browser.

      This bug should have been raised a while ago, but it seems that it was forgotten ... (history: In CONF-23171 I included the following comment "(Hmm and it seems I did not report the svg bug in confluence yet - see JRA-24854) ". )
      We should fix this soon because in CONF-1762 there are public comments basically pointing out this persistent xss flaw.

      Steps to reproduce:
      1. create a file called "foo.svg" with the following contents:

      <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
      <script>alert(3);</script>
      </html>

      2. upload it to confluence
      3. 'view' the attachment
      4. see an alert dialogue with the number 3 in it.

            Unassigned Unassigned
            dblack David Black
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: