XSRF and IDOR vulnerabilities in Process Management Suite for Confluence
Advisory Release Date
17 November 2020
Process Management Suite for Confluence
all Process Management Suite for Confluence versions until 3.1.3
We were able to identify cross-site request forgery (also known as XSRF or CSRF) and insecure direct object references (IDOR) vulnerabilities in our Metadata for Confluence app. The details of the vulnerabilities are described in a separate blog post.
Since our Process Management Suite for Confluence app bundles Metadata for Confluence, it is also affected by these security issues.
Depending on the way the Metadata app is used in Confluence, the XSRF and IDOR vulnerabilities have to be rated as P2 (High) or P3 (Medium) according to the scale published under the Bugcrowd’s Vulnerability Rating Taxonomy (VRT).
All Process Management Suite for Confluence versions until 3.1.3 are affected.
If you are using an affected version of Process Management Suite for Confluence, please immediately upgrade to version 3.1.4.
Some of Metadata’s writing operations were missing appropriate measures to prevent cross-site request forgery attacks.
In regard to the IDOR vulnerabilities, Metadata had incomplete permission checks for some of its operations. In such cases users were able to exploit the vulnerabilities by providing a content ID to the affected Metadata endpoints that has been guessed, brute-forced or obtained by other means.
To address the problem we resolved the issues in Metadata for Confluence and bundled the fixed version in our Process Management Suite for Confluence app.