This advisory discloses a security issue of critical severity affecting Scroll Exporter apps, and provides a step-by-step guide to help you rectify the issue. The following apps and versions are affected:
Scroll DocBook Exporter, version 3.0.0 or later, fixed in version 3.8.8
Scroll EclipseHelp Exporter, version 3.0.0 or later, fixed in version 3.8.8
Scroll EPUB Exporter, version 3.0.0 or later, fixed in version 3.8.8
Scroll PDF Exporter, version 3.0.0 or later, fixed in version 4.6.7
Scroll Word Exporter, version 4.1.0 or later, fixed in version 4.1.7
After updating these apps to the fixed version, your Confluence instance is no longer affected by this security issue.
K15t Software rates the severity level of this issue as critical, as a remote attacker is able to execute code on your system.
This is our baseline assessment – it's best if you evaluate its applicability to your own IT environment.
Scroll DocBook Exporter, Scroll EclipseHelp Exporter, Scroll EPUB Exporter, Scroll PDF Exporter, and Scroll Word Exporter are affected by a remote code execution vulnerability that enables attackers to execute arbitrary code on your system. This can be used for example, but is not limited to:
Elevation of user privileges
Installation of additional malicious apps
Access to and modification of Confluence content without further permission checks
Any Confluence user who is able to export pages or blog posts is able to exploit this bug.
By default, this ability is available to all users, including anonymous users if the Confluence administrator enabled access for anonymous users.
We have taken the following steps to address this issue:
Released fixed versions of Scroll Exporter apps on Atlassian Marketplace
Informed all app customers and evaluators who might have been affected
A Confluence administrator needs to upgrade Scroll Exporter apps to these (or later) versions:
Scroll DocBook Exporter 3.8.8
Scroll EclipseHelp Exporter 3.8.8
Scroll EPUB Exporter 3.8.8
Scroll PDF Exporter 4.6.7
Scroll Word Exporter 4.1.7
We apologize deeply for any inconvenience this issue has caused you. If you would like assistance in correcting it, then we are here to help.
In case you have any questions or want to get support in fixing the issue on your system please let us know at firstname.lastname@example.org. We are happy to schedule a 1:1 screen-sharing session to help you resolve the issue should you so desire.