-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-049 Product: Handy Macros for Confluence Manufacturer: Stiltsoft Europe Affected Version(s): 3.x ≤ 3.5.3 Tested Version(s): 3.5.3 on Confluence 7.19.1 Vulnerability Type: Stored Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Solved Manufacturer Notification: 2022-10-18 Solution Date: 2022-10-26 Public Disclosure: 2022-12-07 CVE Reference: CVE-2022-44724 Author of Advisory: Patrick Schlüter, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Handy Macros for Confluence is a Confluence plug-in which provides a variety of macros. The manufacturer describes the product as follows (see [1]): "Change statuses and dates when viewing a page to save time. Get more from task reminders, timestamps, dynamic cards, and buttons." Due to insufficient input validation, the Handy Tip macro is vulnerable to cross-site scripting (XSS) attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The Handy Tip macro does not validate and escape user-controlled input which can be used to execute JavaScript code. This allows attackers to embed malicious JavaScript code in it. The embedded code will be executed when a user visits the page, allowing the attacker to perform actions in their context. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1. Create or edit a page and add a Handy Tip macro with the following content: XSS 2. Save the page. 3. Visit the page. This should execute the XSS payload which will trigger a pop-up stating "XSS in Handy Tip macro". ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update the plug-in to version 3.5.5 or higher. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-10-18: Vulnerability reported to manufacturer 2022-10-21: Update released by manufacturer 2022-10-24: Update tested, still allowed arbitrary style tags 2022-10-26: Second update released by manufacturer 2022-12-07: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Handy Macros for Confluence https://marketplace.atlassian.com/apps/1214971/handy-macros-for-confluence-formatting-and-interactive-ui?hosting=datacenter&tab=overview [2] SySS Security Advisory SYSS-2022-049 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-049.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Patrick Schlüter of SySS GmbH. E-Mail: patrick.schlueter@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Patrick_Schlüter.asc Key ID: 0x2F86A35CF24BD3BB Key Fingerprint: 5089 52DD 4550 1B5A 01BB 7827 2F86 A35C F24B D3BB ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEUIlS3UVQG1oBu3gnL4ajXPJL07sFAmOF470ACgkQL4ajXPJL 07t5Zw/9GyAfnT5HDk1uC9IwsQNp0krcAkZmzsdmIiqrW7pnj9R+sHaoz+0sbwWT RmP0aG+2aG/FEIozNDjCmKjVRVsD+JnA0Ilbv49zin6Rm9zbsH5/0wIbfl8mEXB6 R50aQaOnDa+BjUJ04UVQaWqyKPnG5rS9+6vRsby+QVWToHItLcfeWxosq3wSYiOX O4uEwcX0Di5mSuj07uzYSqv3QmjlxD+iXOyCOZHMjcfCnMO6rFY9LQjezPGu1NwL 9LqCnCjgQamDkoZs7JZmVrGFEtEkaVXcuMXAmp4MHWeBW4k5ToC5slAHoArDWS4F 1T3TFRc47mM4gyFF66AjMJWGOQmnnU+UNkzBln1EgWNqi7HgDW1FvMpLPR2+9flJ LvzKhRbvWuOYucOUMkIMP4ObIAelLgah7LvfkvDmRMQPP2DM/fS5NuhcCWlFmNQR XD/LSZxiv1gl9dWPC3AhrpUBCaEXh8cpF8LyHrlkUJfr0/wAva1SOJBHmhVTXMnM HQKdk5TtZ7ktWrouDSZvghWmdmB2qOwY5sJF5xx0WnQsCH2CAdXkhFBAE0kD5VqC UGiwkKIAUdTLndt9XnCf6KCGuX4rJX+9bvvPg86u+dAUnySydrKFE5X5N1pKvP1z q/AW2DhG7YcKlVR/iuJod2eTSi013xM1hxXqtukNafOgE0c7Jk0= =axBe -----END PGP SIGNATURE-----