lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 4 Jan 2016 12:28:46 +0100
From: Sebastian Perez <>
Subject: [FD] Confluence Vulnerabilities

[Systems Affected]
Product : Confluence
Company : Atlassian
Versions (1) : 5.2 / 5.8.14 / 5.8.15
CVSS Score (1) : 6.1 / Medium (classified by vendor)
Versions (2) : 5.9.1 / 5.8.14 / 5.8.15
CVSS Score (2) : 7.7 / High (classified by vendor)

[Product Description]
Confluence is team collaboration software, where you create, organize and
discuss work with your team. it is developed and marketed by Atlassian.

Two vulnerabilities were identified within this application:
(1) Reflected Cross-Site Scripting (CVE-2015-8398)
(2) Insecure Direct Object Reference (CVE-2015-8399)

[Advisory Timeline]
26/Oct/2015 - Discovery and vendor notification
26/Oct/2015 - Vendor replied for Cross-Site Scripting (SEC-490)
26/Oct/2015 - Issue CONF-39689 created
27/Oct/2015 - Vendor replied for Insecure Direct Object Reference (SEC-491
/ SEC-492)
27/Oct/2015 - Issue CONF-39704 created
16/Nov/2015 - Vendor confirmed that Cross-Site Scripting was fixed
19/Nov/2015 - Vendor confirmed that Insecure Direct Object Reference was

[Patch Available]
According to the vendor, upgrade to Confluence version 5.8.17

[Description of Vulnerabilities]
(1) Reflected Cross-Site Scripting
An unauthenticated reflected Cross-site scripting was found in the REST
API. The vulnerability is located at /rest/prototype/1/session/check/ and
the payload used is <img src=a onerror=alert(document.cookie)>
CVE-2015-8398 / SEC-490 / CONF-39689

(2) Insecure Direct Object Reference
Two instances of Insecure Direct Object Reference were found within the
application, that allows any authenticated user to read configuration files
from the application
CVE-2015-8399 / SEC-491 / SEC-492 / CONF-39704

This is an example of accepted <FILE> parameters


Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists