EasyMind – Cross-Site Scripting (CVE-2023-30452)

ITEM Comment
Software EasyMind – Mind Maps for Confluence
Vendor MoroSystems, s.r.o
Version < 2.15.0
Type of Issue Cross-Site Scripting
CWE https://cwe.mitre.org/data/definitions/79.html
CVE CVE-2023-30452
OWASP Testing for Stored Cross Site Scripting
Roles affected All
CVSS High – 8.5
Credits Sven Schlüter & Thore Imhof from Y-Security


The plugin EasyMind – Mind Maps for Confluence allows the creation of Mind Maps and Graphics in Confluence that can be shared with other team members. It was possible to embed JavaScript within a Mind Map that would be executed as soon as someone clicked on it.

Mitigation & Recommendation

The vulnerability has been fixed in version 2.15.0, although it is not mentioned explicitly which security vulnerabilities were fixed with this patch.

It is recommended to upgrade the plugin to the latest version, which fixes this vulnerability. We confirmed that our initial exploit payload no longer works, however no extensive analysis of the patch was done from our side.

We closely follow the OWASP Guidelines when performing penetration tests and we recommend following the Cross-Site Scripting Prevention Cheat Sheet to successfully mitigate Cross-Site Scripting vulnerabilities.

Disclosure Policy

At Y-Security we take security vulnerabilities seriously and follow a responsible disclosure policy. The 90-day disclosure deadline was exceeded and therefore we decided to disclosure the vulnerability after a fix had been released.

Disclosure Timeline

04.11.2022 Y-Security discovered security vulnerability & communicated to client
22.12.2022 Y-Security reported issue to Atlassian Bugcrowd Program
24.12.2022 Bugcrowd opened bug
04.01.2023 Bugcrowd requested addiotional information
04.01.2023 Y-Security provided neccessary information
04.01.2023 Bugcrowd reproduced & acknowledged issue
13.01.2023 Bugcrowd forwarded issue to Product Owner
16.01.2023 Y-Security requested CVE via Bugcrowd
30.01.2023 Y-Security requested update
01.02.2023 Bugcrowd declined CVE Request
23.02.2023 MoroSystems released fix
01.03.2023 Y-Security reminded Bugcrowd of disclosure date
13.03.2023 Y-Security requested statement regarding Fix
04.04.2023 Y-Security requested update with no response
10.04.2023 CVE assigned (CVE-2023-30452)
11.04.2023 Y-Security informed Bugcrowd of assigned CVE
16.05.2023 Y-Security disclosed CVE-2023-30452


Thore Imhof
Y-Security GmbH
16. May 2023