Security Advisory 2-Nov-2023

Created by Metin Savignano
Last updated: 02 Nov, 2023
2 min read

Abstract

CSRF based XSS vulnerability found in S/MIME user upload

We would like to inform our clients about a CSRF (Cross Site Request Forgery) based XSS (Cross Site Scripting) vulnerability that has been found in the S/MIME certificate upload functionality of the User Profile pages of S/Notify for Confluence.

You would be affected when

  • you use S/Notify for Confluence

  • and you have enabled that users can upload their own S/MIME certificates

For further clarification, you are not affected when

  • you use S/Notify for Jira or S/Notify for Bitbucket

  • or you have enabled the PGP key upload and not S/MIME

Description

While a user is logged on, a specifically crafted certificate can be used to inject malicious content that can be executed within the context of the user’s permissions.

The injection could be initiated by the user clicking a malicious link in an email or by visiting a malicious website.

Background

Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the Javascript executes within that user’s browser in the context of this domain. Stored XSS that is based inside the URL can be found on this domain which allows an attacker to control code that is executed within a user’s browser.

From here, an attacker could carry out additional actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session.

Business Impact

Stored XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including attempting other malicious attacks, which would appear to originate from a legitimate user.

Assessment

The severity of this vulnerability is considered moderate according to Bugcrowd’s Vulnerability Rating Taxonomy and has been assigned a CVSS 6.1 (medium) rating in the Common Vulnerability Scoring System.

This vulnerability has been found in a penetration test by a security researcher. We have no reports about it being actively exploited.

Action

Affected versions

Versions up to and including 4.0.0 of S/Notify for Confluence must be considered affected.

Temporary Mitigation

Disallowing users to upload their own S/MIME certificate will remove the vulnerability from your installation. To do so

  1. navigate to the S/Notify User Key Management administration page

  2. on the S/MIME tab, deselect Allow user uploads

Permanent Fix

Download and install our fix release 4.0.1 of S/Notify for Confluence.

 

 

 

The S/Notify Email Encryption apps are brought to you by savignano software solutions, a small yet savvy IT solutions company in Germany. Click here for legal information.