Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 5.10.4, 5.9.14
Affects Version/s: 5.9.11, 5.8.18, 5.7.6
Component/s: User - Profile
Labels:
- affects-server
- csrf
- cvss-medium
- security
- xsrf

Support reference count:
1
Symptom Severity:
Severity 2 - Major

Steps to Reproduce:

In Confluence, visit the "My Profile" page (<confluence-url>/users/viewuserprofile.action)
Click "Edit Profile"
Note that no atl_token is present in the URL.
Click "Settings" (<confluence-url>/users/viewmysettings.action)
Click "Edit"
Note that the atl_token value is present in the URL.

Cause

Some forms are rendered as having the method GET rather than the method POST

Security implications

It is only an exploitable security issue if an attacker can get somehow get a resource that includes the token in the URL to access one of their resources or similar such that the referer of the request contains the csrf token.

mentioned in: Page Loading...; Page Loading...; Page Loading...

Assignee:: Denise Unterwurzacher [Atlassian] (Inactive)
Reporter:: Dave Norton (Inactive)
Votes:: 0 Vote for this issue
Watchers:: 5 Start watching this issue

Due:: 02/Aug/2016
Created:: 31/May/2016 3:21 AM
Updated:: 11/Oct/2018 8:49 AM
Resolved:: 02/Aug/2016 4:42 PM

Details

Description

Steps to Reproduce:

Cause

Security implications

Attachments

Issue Links

Forms

Activity

People

Dates