This advisory discloses a security issue of *medium severity* affecting Scroll Viewport, and provides a step-by-step guide to help you rectify the issue.
If you have Scroll Viewport for Confluence Cloud on your Confluence instances and haven't accepted the our release from 2020-09-02 you may be affected by this issue. After accepting this release and updating to the latest version, your instance is no longer affected by this security issue.
K15t Software rates the severity level of this issue as *medium*, because the scope of a possible XSS attack is limited by sandboxing and same-origin policy.
This is our baseline assessment – it's best if you evaluate its applicability to your own IT environment.
Since the Viewport Site is hosted outside of the Confluence Cloud and only certain users are allowed to update the site:
A user with permission to edit a page that is part of a Viewport site can add XSS attack to the page but the attack will be included on the Viewport site only when Viewport admin updates the site.
The previews inside Confluence are run in sandboxed iframe and cannot access Confluence.
Also the live site is run on different domain than Confluence and cannot access eg a Confluence session
We've rated this bug with a CVSS score of 4.6 (Medium).
We have taken the following steps to address this issue:
Released Scroll Viewport for Confluence Cloud 2020-10-09 on Atlassian Marketplace.
A Confluence Administrator needs to make sure the latest version of Scroll Viewport (2020-10-09) is used. If not the update from 2020-09-02 needs to be accepted first.
A Confluence Administrator or Viewport Site Admin needs to regenerate the Scroll Viewport Site.
We apologize deeply for any inconvenience this issue has caused you. If you would like assistance in correcting it, then we are here to help.
In case you have any questions or want to get support in fixing the issue on your system please let us know at email@example.com. We are happy to schedule a 1:1 screensharing session to help you resolve the issue should you so desire.