[CONFSERVER-20865] XSS vulnerability in space key, particularly with decorators off

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 5.2
Affects Version/s: 3.1, 3.5.13, 5.1-OD-4
Component/s: None
Labels:
- affects-cloud
- affects-server
- bf_triage
- cvss-high
- loyalty
- security
- spaces
- verified

CVSS Score:
6
Bug Fix Policy:
View Atlassian Server bug fix policy

NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.

As discovered while looking at CONF-20667, Confluence stores the space key unencoded in a content tag. Considerable functionality relies on this content tag. Eg Doc Theme breaks without it. Themes choice breaks without it.

To exploit it, create a user with html in the login name, then create a personal space as that user. Finally, use a decorator=none request param when viewing a page to see the content tags.

There are actually a few places that the space key isn't encoded, so removing the ability to pass "decorator=none" is probably not a complete fix.

relates to

CONFCLOUD-20865 XSS vulnerability in space key, particularly with decorators off

Closed

causes: SCT-64 Failed to load

mentioned in: Wiki Page Failed to load; Wiki Page Failed to load

set-jac-bot made changes - 12/Sep/2019 7:26 AM

Link

New: This issue details CONFSERVER-21012 [ CONFSERVER-21012 ]

Katherine Yabut made changes - 13/Nov/2018 4:48 AM

Workflow

Original: JAC Bug Workflow v3 [ 2879470 ]

New: CONFSERVER Bug Workflow v4 [ 3003235 ]

Owen made changes - 11/Oct/2018 8:42 AM

Workflow	Original: JAC Bug Workflow v2 [ 2784509 ]	New: JAC Bug Workflow v3 [ 2879470 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Owen made changes - 29/Aug/2018 11:14 PM

Workflow

Original: JAC Bug Workflow [ 2713617 ]

New: JAC Bug Workflow v2 [ 2784509 ]

Owen made changes - 02/Jul/2018 6:49 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2400081 ]

New: JAC Bug Workflow [ 2713617 ]

Niraj Bhawnani made changes - 04/May/2018 4:33 AM

Link

New: This issue is duplicated by CONFSERVER-29339 [ CONFSERVER-29339 ]

Alex Yakovlev (Inactive) made changes - 16/Oct/2017 3:47 AM

Labels

Original: affects-cloud affects-server bf_triage bugfix cvss-high loyalty security spaces verified

New: affects-cloud affects-server bf_triage cvss-high loyalty security spaces verified

Alex Yakovlev (Inactive) made changes - 16/Oct/2017 3:39 AM

Labels

Original: affects-cloud affects-server bf_triage bugfix cvss-high security spaces verified

New: affects-cloud affects-server bf_triage bugfix cvss-high loyalty security spaces verified

Katherine Yabut made changes - 22/Jun/2017 6:53 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5 [ 2299286 ]

New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2400081 ]

Katherine Yabut made changes - 31/May/2017 5:40 AM

Workflow

Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2233818 ]

New: Confluence Workflow - Public Facing - Restricted v5 [ 2299286 ]

Assignee:: Chii (Inactive)

Reporter:: Don Willis

Affected customers:: 0 This affects my team

Watchers:: 6 Start watching this issue

Created:: 23/Sep/2010 1:06 AM

Updated:: 12/Sep/2019 7:26 AM

Resolved:: 18/Jul/2013 11:31 PM

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates