...
First a general note: There is no code from SharePoint (Online) executed on the Confluence server (or the other way around), as all the integration happens in the browser. So the only attacks are possible via client-side (browser) scripts.
The content embedded from SharePoint in Confluence might contain malicious scripts
...
that could harm Confluence (or the other way around)
The embedded content is either
fetched via the SharePoint/Confluence REST API and rendered by our app, escaping any data received and thus preventing XSS attacks
or via iframe and thus cannot access the surrounding page
Thus, there should be no threat regarding that point.
...
If an attacker can deploy malicious code to either Confluence or SharePoint, he could indeed attack the other instance by using the account of the user which who currently browses Confluence or SharePoint. In order to To do that, the attacker needs to be able to either
leverage an exploit in SharePoint or Confluence
or deploy an app to SharePoint or Confluence
There is not much you could do about 1. other than always have a patched version of SharePoint and Confluence.
...
For details about SharePoint see
information regarding apps: https://docs.microsoft.com/sharepoint/extend-and-develop
Information regarding custom JavaScript: Pay close attention to the "custom scripts" feature, as this allows any user in SharePoint to deploy arbitrary scripts: https://docs.microsoft.com/de-de/sharepoint/allow-or-prevent-custom-script
However, if you do not need the ability to embed content into SharePoint, there is a way to completely deactivate that part of our app and with that all the threats listed here. This can be achieved by deactivating the "SharePoint Connector for Confluence Add-In Extensions" app which is bundled with the SharePoint Connector for Confluence.
For details about Confluence see
information regarding apps: https://confluence.atlassian.com/cloud/marketplace-apps-873871382.html
Information regarding custom JavaScript: Pay also close attention to the HTML macro, as it can allow any user in Confluence to deploy arbitrary scripts: https://confluence.atlassian.com/doc/html-macro-38273085.html
| Info |
|---|
We have also published a high-level overview of data security for the SharePoint Connector for Confluence in this blog post. |
Related Articles
| Filter by label (Content by label) | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
| Page Properties | ||
|---|---|---|
| ||
|