This advisory discloses a security issue of medium severity affecting Scroll PDF Exporter for Confluence Cloud and Scroll Word Exporter for Confluence Cloud and provides a step-by-step guide to help you rectify the issue.
Scroll PDF Exporter for Confluence Cloud and Scroll Word Exporter for Confluence Cloud were affected before September 16, 2019.
K15t rates the severity level of this issue as medium, because it can be abused to forge other K15t websites.
This is our baseline assessment – it's best if you evaluate its applicability to your own IT environment.
A bug in the way our integration with Confluence Cloud works allowed an attacker to inject arbitrary scripts into web pages served by the app host (DOM-XSS).
To exploit this an attacker would need to send a manipulated link pointing to our app server to a victim. When following this link, the victim would see a forged website that might encourage the victim to enter any credentials.
This vulnerability could not be directly used to access customer-owned data within the Confluence instance.
According to our access logs this vulnerability has not been exploited so far.
We've rated this bug with a CVSS score of 4.7 (Medium).
We updated our Cloud apps so they are no longer vulnerable to this attack.
No actions are required from customers as updates occur automatically for Cloud apps.