This advisory discloses a security issue of high severity affecting Scroll Word Exporter for Confluence Server and Datacenter, and provides a step-by-step guide to help you rectify the issue.
Scroll Word Exporter before and including 4.1.10. Fixed in 4.1.11 and later.
K15t rates the severity level of this issue as high, because it can be abused for SSRF attacks.
This is our baseline assessment – it's best if you evaluate its applicability to your own IT environment.
A bug in the processing of user-provided export templates can be exploited for a Server Side Request Forgery attack (SSRF) in order to initiate HTTP calls to internal resources such as a file server. This can also be used to include such resources into the exported Word file.
To exploit this an authenticated Confluence user needs to be able to upload manipulated Scroll Word Exporter templates for example in their personal space and then export using this template.
We've rated this bug with a CVSS score of 8.5 (High).
We released a fixed version of Scroll Word Exporter on the Atlassian Marketplace.
A Confluence administrator needs to upgrade the affected apps to a fixed version.