Uploaded image for project: 'Scroll Content Management'
  1. VSN-4208

The bundled Scroll Runtime plugin does not check permissions under certain conditions

    Details

    • Sprint:
    • Deployment:
      Server

      Description

      Summary

      This advisory discloses a security issue of medium severity affecting Scroll Versions, Scroll Translations and Scroll Acrolinx Connector, and provides a step-by-step guide to help you rectify the issue.

      If you have Scroll Runtime version 2.4.6 or earlier installed on your Confluence instances you may be affected by this issue. After updating Scroll Versions, Scroll Translations and Scroll Acrolinx Connector to version 3.11.3, your instance is no longer affected by this security issue because these app versions include Scroll Runtime 2.4.7.

      Severity

      K15t Software rates the severity level of this issue as medium, because exploiting the bug is limited to authenticated users and read-only operations.

      This is our baseline assessment – it's best if you evaluate its applicability to your own IT environment.

      Detailed description

      We found a bug in the Scroll Runtime plugin which is bundled with the following Scroll apps:

      This bug enables authenticated users to read page IDs and titles from all spaces, regardless of space permissions and page-level restrictions. Other page information such as content, attachments or comments are NOT affected by this bug.

      Anonymous / unauthenticated users were NOT able to exploit the bug, even if access to anonymous users is enabled in Confluence and individual spaces.

      We've rated this bug with a CVSS score of 4.3 (Medium).

      Steps we've taken to fix this issue

      We released Scroll Versions, Scroll Translations and Scroll Acrolinx Connector versions 3.11.3 including Scroll Runtime 2.4.7 on Atlassian Marketplace.

      What you need to do to solve this issue on your instance

      A Confluence administrator needs to upgrade Scroll Versions, Scroll Translations and Scroll Acrolinx Connector to version 3.11.3 or later. This will also update Scroll Runtime to version 2.4.7.

        Attachments

          Issue links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                jens Jens Rutschmann (K15t)
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Backbone Issue Sync

                    Inspector Sketch