XSS vulnerability in Scroll Viewport - security advisory (2020-10-13)
Description
Summary
This advisory discloses a security issue of *high severity* affecting Scroll Viewport, and provides a step-by-step guide to help you rectify the issue.
If you have Scroll Viewport version 2.14.0 or later installed on your Confluence instances and if you are actively using the Help Center Theme you may be affected by this issue. After updating to version 2.17.6, your instance is no longer affected by this security issue.
Severity
K15t Software rates the severity level of this issue as *high*, because the scope of a possible XSS attack is limited to the Help Center theme.
This is our baseline assessment – it's best if you evaluate its applicability to your own IT environment.
Detailed description
Scroll Viewport is affected by a XSS vulnerability that enables attackers to inject specially crafted content to a Confluence page they can edit and the content can execute JavaScript code within Viewport with the Help Center theme enabled if the Confluence page is part of a Viewport.
We've rated this bug with a CVSS score of 7.3 (High).
Steps we've taken to fix this issue
We have taken the following steps to address this issue:
Released Scroll Viewport for Confluence Server 2.17.6 on Atlassian Marketplace.
What you need to do to solve this issue on your instance
A Confluence Administrator needs to upgrade Scroll Viewport to version 2.17.6 or later.
We are here to support you
We apologize deeply for any inconvenience this issue has caused you. If you would like assistance in correcting it, then we are here to help.
In case you have any questions or want to get support in fixing the issue on your system please let us know at support@k15t.com. We are happy to schedule a 1:1 screensharing session to help you resolve the issue should you so desire.
Summary
This advisory discloses a security issue of *high severity* affecting Scroll Viewport, and provides a step-by-step guide to help you rectify the issue.
If you have Scroll Viewport version 2.14.0 or later installed on your Confluence instances and if you are actively using the Help Center Theme you may be affected by this issue. After updating to version 2.17.6, your instance is no longer affected by this security issue.
Severity
K15t Software rates the severity level of this issue as *high*, because the scope of a possible XSS attack is limited to the Help Center theme.
This is our baseline assessment – it's best if you evaluate its applicability to your own IT environment.
Detailed description
Scroll Viewport is affected by a XSS vulnerability that enables attackers to inject specially crafted content to a Confluence page they can edit and the content can execute JavaScript code within Viewport with the Help Center theme enabled if the Confluence page is part of a Viewport.
We've rated this bug with a CVSS score of 7.3 (High).
Steps we've taken to fix this issue
We have taken the following steps to address this issue:
Released Scroll Viewport for Confluence Server 2.17.6 on Atlassian Marketplace.
What you need to do to solve this issue on your instance
A Confluence Administrator needs to upgrade Scroll Viewport to version 2.17.6 or later.
We are here to support you
We apologize deeply for any inconvenience this issue has caused you. If you would like assistance in correcting it, then we are here to help.
In case you have any questions or want to get support in fixing the issue on your system please let us know at support@k15t.com. We are happy to schedule a 1:1 screensharing session to help you resolve the issue should you so desire.