Uploaded image for project: 'Content Formatting Development'
  1. Content Formatting Development
  2. CONTENTF-223

iframe XSS Vulnerability & Patch

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Done
    • Priority: Medium
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 6.3.1
    • Component/s: None
    • Labels:
    • Critical Points:
      0

      Description

      Description

      We were made aware of a potential XSS exploit where a user could use the iframe macro to inject a lookalike website into a Confluence instance. 

      This attack is limited to the content of the iframe and as the browsers same origin policy will still applied, any attempt to steal credentials will require a further exploit. 

      According to Atlassian's security severity levels this bug is ranked as Medium.

      This vulnerability affects all previous versions of the app.

      How to fix the vulnerability 

      This vulnerability can be fixed by upgrading Content Formatting 6.3.1 or above. Full instructions on how to upgrade an app can be found on Atlassian's support page. Once you've upgraded, a new feature will be available to you in the Confluence app/add-on menu, entitled the iframe configuration menu.

      This new feature will automatically sandbox all iframe macros in your instance and will provide you the ability to allow, sandbox or deny iframes in your instance according to your internal security policy.

      More information can be found in our documentation.

       If you have urgent questions please contact our support team.

       

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            dlindsay Dylan Lindsay
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: