|Software||EasyMind – Mind Maps for Confluence|
|Type of Issue||Cross-Site Scripting|
|OWASP||Testing for Stored Cross Site Scripting|
|CVSS||High – 8.5|
|Credits||Sven Schlüter & Thore Imhof from Y-Security|
Mitigation & Recommendation
The vulnerability has been fixed in version 2.15.0, although it is not mentioned explicitly which security vulnerabilities were fixed with this patch.
It is recommended to upgrade the plugin to the latest version, which fixes this vulnerability. We confirmed that our initial exploit payload no longer works, however no extensive analysis of the patch was done from our side.
We closely follow the OWASP Guidelines when performing penetration tests and we recommend following the Cross-Site Scripting Prevention Cheat Sheet to successfully mitigate Cross-Site Scripting vulnerabilities.
At Y-Security we take security vulnerabilities seriously and follow a responsible disclosure policy. The 90-day disclosure deadline was exceeded and therefore we decided to disclosure the vulnerability after a fix had been released.
|04.11.2022||Y-Security discovered security vulnerability & communicated to client|
|22.12.2022||Y-Security reported issue to Atlassian Bugcrowd Program|
|24.12.2022||Bugcrowd opened bug|
|04.01.2023||Bugcrowd requested addiotional information|
|04.01.2023||Y-Security provided neccessary information|
|04.01.2023||Bugcrowd reproduced & acknowledged issue|
|13.01.2023||Bugcrowd forwarded issue to Product Owner|
|16.01.2023||Y-Security requested CVE via Bugcrowd|
|30.01.2023||Y-Security requested update|
|01.02.2023||Bugcrowd declined CVE Request|
|23.02.2023||MoroSystems released fix|
|01.03.2023||Y-Security reminded Bugcrowd of disclosure date|
|13.03.2023||Y-Security requested statement regarding Fix|
|04.04.2023||Y-Security requested update with no response|
|10.04.2023||CVE assigned (CVE-2023-30452)|
|11.04.2023||Y-Security informed Bugcrowd of assigned CVE|
|16.05.2023||Y-Security disclosed CVE-2023-30452|
16. May 2023