Issue Summary

Confluence Cloud DC is suceptable to XSS and account takeover via comments once comment is resolved. Data storage is not properly storing comments and sanitizing properly which enables the code to run. The POC showed the attackers' ability to leak document.cookies which could lead to other cookie based vuln.

Vulnerability was validated on v8.5.2 via instantenv. Customer reported vulnerability is present on <v8.5.20 and v9.0+.

Steps to Reproduce

1. Create new page

1. Insert code <img/src=z onerror=alert(document.domain);> onto page. And publish

1. Highlight code, and add a comment. Save the comment.

1.  
   
   Mark comment as resolved

1. Click the 3 dots in the top right corner and click on “Resolved comments”

1.  
   
   Watch the XSS execute. Customer was able to grab document.cookie value.
    
   

Expected Results

XSS should not be allowed to execute.

Actual Results

XSS executes, Customer was able to grab document.cookie value.

Workaround

1. Validate vulnerability on versions less than v8.5.20 and versions 9.0 and higher. And patch if neccessary.

1. Sanitize highlighted comment associated with comment when storing and retrieving text

1. 1. Either sanitize before render

1. 1. Or Encode on storage

1. Defense in Depth: Implement appropriate CSP headers to prevent render.