Confluence Security Advisory 2010-06-02

This security advisory announces a vulnerability in the Confluence Mail Page plugin that may expose a Confluence site to XSS (cross-site scripting) attacks, if it is enabled (note, the Confluence Mail Page plugin is disabled by default). If you do not have this plugin enabled, your site will not be affected. However, we recommend that you still read the advisory below.

In this advisory:

XSS Vulnerability in Confluence Mail Page Plugin

Severity

Atlassian rates this vulnerability as high, according to the scale published in Severity Levels for Security Issues. The scale allows us to rank a vulnerability as critical, high, moderate or low.

Risk Assessment

We have identified and fixed a security vulnerability which may affect Confluence instances in a public environment. This flaw is a cross-site scripting (XSS) vulnerability that could occur if you have the Confluence Mail Page plugin enabled. The Confluence Mail Page plugin is bundled with Confluence, although it is disabled by default.

  • The attacker might take advantage of the vulnerability to steal other users' session cookies or other credentials, by sending the credentials back to the attacker's own web server.
  • The attacker's text and script might be displayed to other people viewing the Confluence page. This is potentially damaging to your company's reputation.

You can read more about XSS attacks at cgisecurity, CERT and other places on the web.

Vulnerability

An attacker can execute their own JavaScript when a user enters a custom URL into the browser address bar (e.g. the user clicks a crafted link in an email). The rogue JavaScript will be executed when the user invokes the URL. For more details, please refer to CONF-19802.

Risk Mitigation

We recommend installing the updated Confluence Mail Page plugin into your Confluence installation to fix this vulnerabilities. Please see the 'Fix' section below.

Alternatively, if you are not in a position to undertake this immediately and you judge it necessary, you can disable the Confluence Mail Page plugin (note, the plugin is disabled by default). You may also wish to disable public access (e.g. anonymous access and public signup) to your wiki until you have applied the necessary patch or upgrade. For even tighter control, you could restrict access to trusted groups.

Fix

These issues have been fixed in the latest version (v1.10) of the Confluence Mail Page plugin, which you can download from the Atlassian Plugin Exchange. Installation instructions are available on the plugin documentation page.

Please note, version 1.10 of the Confluence Mail Page plugin will only work with Confluence 3.2. You will need to upgrade to Confluence 3.2 before installing the updated plugin.

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport