Abstract
CSRF based XSS vulnerability found in S/MIME user upload
We would like to inform our clients about a CSRF (Cross Site Request Forgery) based XSS (Cross Site Scripting) vulnerability that has been found in the S/MIME certificate upload functionality of the User Profile pages of S/Notify for Confluence.
You would be affected when
you use S/Notify for Confluence
and you have enabled that users can upload their own S/MIME certificates
For further clarification, you are not affected when
you use S/Notify for Jira or S/Notify for Bitbucket
or you have enabled the PGP key upload and not S/MIME
Description
While a user is logged on, a specifically crafted certificate can be used to inject malicious content that can be executed within the context of the user’s permissions.
The injection could be initiated by the user clicking a malicious link in an email or by visiting a malicious website.
Background
Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of this domain. Stored XSS that is based inside the URL can be found on this domain which allows an attacker to control code that is executed within a user’s browser.
From here, an attacker could carry out additional actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session.
Business Impact
Stored XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including attempting other malicious attacks, which would appear to originate from a legitimate user.
Assessment
The severity of this vulnerability is considered moderate according to Bugcrowd’s Vulnerability Rating Taxonomy and has been assigned a CVSS 6.5 (medium) rating in the Common Vulnerability Scoring System.
This vulnerability has been found in a penetration test by a security researcher. We have no reports about it being actively exploited.
Action
Affected versions
Versions up to and including 4.0.0 of S/Notify for Confluence must be considered affected.
Temporary Mitigation
Disallowing users to upload their own S/MIME certificate will remove the vulnerability from your installation. To do so
navigate to the S/Notify User Key Management administration page
on the S/MIME tab, deselect Allow user uploads
Permanent Fix
Download and install our fix release 4.0.1 of S/Notify for Confluence.
0 Comments