Vulnerability notification: Process Management Suite for Confluence

 

Summary

Cross-site scripting vulnerabilities in Process Management Suite for Confluence

Advisory Release Date

28 October 2020

Product

Process Management Suite for Confluence

Affected Versions

all Process Management Suite for Confluence versions until 3.1.2

Fixed Version

3.1.3

Problem

We were able to identify stored cross-site scripting (XSS) vulnerabilities in our Metadata for Confluence app. The details of the vulnerabilities are described in a separate blog post.

Since our Process Management Suite for Confluence app bundles Metadata for Confluence, it is also affected by these security issues.

The vulnerabilities have been rated as P2 (High) according to the scale published under the Bugcrowd’s Vulnerability Rating Taxonomy (VRT).

All Process Management Suite for Confluence versions until 3.1.2 are affected.

Solution

If you are using an affected version of Process Management Suite for Confluence, please immediately upgrade to version 3.1.3.

Root Cause

The root cause are the stored cross-site scripting issues we found in the bundled Metadata for Confluence app. They allow users to provide input that would be rendered as HTML. The HTML code which might contain JavaScript will then be executed in the context of the user viewing the content. This kind of vulnerability could be exploited for different attacks, including an escalation of privileges.

To address the problem we resolved the issues in Metadata for Confluence and bundled the fixed version in our Process Management Suite for Confluence app.