XSS vulnerability in Scroll Viewport - security advisory (2020-10-09)

Description

Summary

This advisory discloses a security issue of *medium severity* affecting Scroll Viewport, and provides a step-by-step guide to help you rectify the issue.

If you have Scroll Viewport for Confluence Cloud on your Confluence instances and haven't accepted the our release from 2020-09-02 you may be affected by this issue. After accepting this release and updating to the latest version, your instance is no longer affected by this security issue.

Severity

K15t Software rates the severity level of this issue as *medium*, because the scope of a possible XSS attack is limited by sandboxing and same-origin policy.

This is our baseline assessment – it's best if you evaluate its applicability to your own IT environment.

Detailed description

Scroll Viewport is affected by a XSS vulnerability that enables attackers to inject specially crafted content to a Confluence page they can edit and the content can execute JavaScript code within Viewport site with the Help Center theme enabled if the Confluence page is part of a Viewport site.

Since the Viewport Site is hosted outside of the Confluence Cloud and only certain users are allowed to update the site:

  • A user with permission to edit a page that is part of a Viewport site can add XSS attack to the page but the attack will be included on the Viewport site only when Viewport admin updates the site.

  • The previews inside Confluence are run in sandboxed iframe and cannot access Confluence.

  • Also the live site is run on different domain than Confluence and cannot access eg a Confluence session

We've rated this bug with a CVSS score of 4.6 (Medium).

Steps we've taken to fix this issue

We have taken the following steps to address this issue:

  • Released Scroll Viewport for Confluence Cloud 2020-10-09 on Atlassian Marketplace.

What you need to do to solve this issue on your instance

  • A Confluence Administrator needs to make sure the latest version of Scroll Viewport (2020-10-09) is used. If not the update from 2020-09-02 needs to be accepted first.

  • A Confluence Administrator or Viewport Site Admin needs to regenerate the Scroll Viewport Site.

 

We are here to support you

We apologize deeply for any inconvenience this issue has caused you. If you would like assistance in correcting it, then we are here to help.

In case you have any questions or want to get support in fixing the issue on your system please let us know at support@k15t.com. We are happy to schedule a 1:1 screensharing session to help you resolve the issue should you so desire.

Environment

None

Assignee

Unassigned

Reporter

Sync User [K15t]

Labels

None

Participants

None

QA Status

None

Deployment

Cloud

Documentation Status

None

UI Concept

None

External Votes

None

Components

Due date

2020/10/13
Configure