I found a vulnerability on the External Share for Confluence where the redirect= parameter can point to any website like http://evil.com . As an attacker I can direct the victim to the malicious, malware or phishing website.

NOTE

Domain https://confluence.external-share.com/  its from the apps, when you create external share you will get the domain.

Steps to reproduce

1. Go to https://confluence.external-share.com/active-user-session-check?uuid=xxxs&redirect=https://evil.com

2. You will redirect to http://evil.com

Impact

Open redirection attacks are most commonly used to support phishing attacks, or redirect users to malicious websites.

What to verify:

• The redirect parameter on /active-user-session-check no longer allows redirection to external or untrusted hosts (e.g. redirect=https://evil.com should fallback to the application's main page).

• Redirection to the application's own domain works correctly.

• Redirection to a configured custom domain works correctly.

• Password-protected shares correctly redirect after successful authentication.