ESFC-1615
Stored XSS on page tree in External Share for Confluence
Description
Stored Cross-Site Scripting (XSS) is a type of injection attack where malicious JavaScript is injected into a website. When a user visits the affected web page, the JavaScript executes within that user’s browser in the context of this domain. Stored XSS can be found on this domain which allows an attacker to submit data to a form and escalate from no privileges to any user type, which could include an Administrator level user.
When an attacker can control code that is executed within a user’s browser, they are able to carry out any actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session.
Business Impact
Stored XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust.
Steps to Reproduce
-
Setup Confluence Cloud and install External Share for Confluence app.
-
Create a new page in any space in Confluence, enter
Parentas the title. Publish the page. -
Create a new page under
Parentpage, enterChildas the title. Publish the page. -
Create a new page under
Childpage, enter following XSS payload as the title:Grand Child <img src onerror="alert('XSS! at '+origin)">. Publish the page. -
Create
External ShareonParentpage:-
Go to
Parentpage. -
Under the page title, click the yellow paper plane icon (External Share).
-
Click
Create External Share Linkbutton. -
Tick the
Share child pagescheckbox.
-
-
Trigger the XSS:
-
Open the external share link (from the URL field).
-
Observe the left navigation panel.
-
Click the chevron icon
>on theChildentry (not the entry itself). -
An alert will pop up, confirming JavaScript is executed.
-
Activity
Details
Priority
High
QA pass done - this issue can no longer be reproduced on the Pages tree.
Things checked:
Putting the original payload in names of pages and folders on different levels of hierarchy, (child, grand child etc.)
Putting around 50 other payloads (from the following list) in child pages' names, page contents
Modifying Page Navigation Links settings in Page Customization (just in case)
Adding and editing normal and inline comments
An XSS vulnerability has been found, however as it occurs on PROD as well it’s not a regression. It has been reported separately:
Ready to merge.
I reported this vulnerability in comments under a new ticket:
I am no longer able to reproduce the issue as described on [QA] ESFC however I can reproduce the XSS issue with the same payload in comment section, by pasting the payload and applying “code” formatting to it. After that, the XSS alert appears on clicking either Save or Cancel. Note that this is viable reproduction method on PROD as well, therefore it’s not a regression.
@Kamil Zarychta should I report this as a new issue? It uses the same payload but the affected area is comment section. By the way, as shown on the video above, page content editing screen is not affected.
@Testers:
*
Check also- this should fix both issuesSorry, this is unlrelated after all, I will fix that separately.* Please do regression check on adding/editing comments