Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

We would like to inform our clients about a CSRF (Cross Site Request Forgery) based XSS (Cross Site Scripting) vulnerability that has been found in the S/MIME certificate upload functionality in of the User Profile pages of S/Notify for Confluence.

You might would be affected when

  • you use S/Notify for Confluence

  • and you have enabled that users can upload their own S/MIME certificates

...

  • you use S/Notify for Jira or S/Notify for Bitbucket

  • or you have enabled the PGP key upload and not S/MIME

...

While a user is logged on, a specially specifically crafted certificate can be used to inject malicious content that can be executed within the context of the user’s permissions.

...

The severity of this vulnerability is considered moderate according to Bugcrowd’s Vulnerability Rating Taxonomy and has been assigned a CVSS 6.5 1 (medium) rating in the Common Vulnerability Scoring System.

This vulnerability has been found in a penetration test by a security researcher. We have no reports about it being actively exploited.

...