This advisory discloses a security issue of *high* *severity* affecting Scroll Documents, and provides a step-by-step guide to help you rectify the issue. The following apps and versions are affected:
Scroll Documents for Confluence Server, versions 1.1.5 and older
Scroll Documents for Confluence Cloud, versions 2.0.6-AC and older
After updating to the fix versions, your instance is no longer affected by this security issue.
K15t Software rates the severity level of this issue as *high*.
This is our baseline assessment - it's best if you evaluate its applicability to your own IT environment.
Scroll Documents is affected by an XSS vulnerability where someone can put malicious code into a document that is executed when a user views the document. This can be used for example, but is not limited to:
Execute HTTP requests on the behalf of a user
We have taken the following steps to address this issue:
Released *Scroll Documents 1.2.0 (Server) and 2.0.7-AC (Cloud)* update on Atlassian Marketplace
Informed all app customers and evaluators through our release notes.
A Confluence administrator might need to upgrade Scroll Documents to these (or later) versions:
Scroll Documents for Confluence Cloud, version 2.0.7-AC or newer
Scroll Documents for Confluence Server, version 1.2.0 or newer
Scroll Documents for Confluence Cloud will usually be updated automatically in your Confluence Cloud instance by the Atlassian Marketplace. Hence, you only need to double-check if the version in the Manage Apps/Add-ons section is 2.0.7-AC or newer. If this is not the case, you need to manually trigger this update by clicking on Update in the Manage Apps/Add-ons section of your Confluence Cloud instance.
Scroll Documents for Confluence Server needs to be updated within the Manage Apps/Add-ons section of your Confluence Server. You can either do this by clicking on Update for Scroll Documents or by downloading the latest version from the Atlassian Marketplace and manually upload it to your Confluence Server.
We apologize deeply for any inconvenience this issue has caused you. If you would like assistance in correcting it, then we are here to help.
In case you have any questions or want to get support in fixing the issue on your system please let us know at firstname.lastname@example.org. We are happy to schedule a 1:1 screen sharing session to help you resolve the issue should you so desire.