This is a Security Advisory about about the following vulnerability in S/Notify for Confluence.
CSRF based XSS vulnerability found in S/MIME user upload
CVE-ID: CVE-2024-23735 (Confluence only)
We would like to inform our clients about a CSRF (Cross Site Request Forgery) based XSS (Cross Site Scripting) vulnerability that has been found in the S/MIME certificate upload functionality of the User Profile pages of S/Notify for Confluence.
You would be affected when
you use S/Notify for Confluence
and you have enabled that users can upload their own S/MIME certificates
For further clarification, you are not affected when
you use S/Notify for Jira or S/Notify for Bitbucket
or you have enabled the PGP key upload and not S/MIME
While a user is logged on, a specifically crafted certificate can be used to inject malicious content that can be executed within the context of the user’s permissions.
The injection could be initiated by the user clicking a malicious link in an email or by visiting a malicious website.
From here, an attacker could carry out additional actions that the user is able to perform, including accessing any of the user's data and modifying information within the user’s permissions. This can result in modification, deletion, or theft of data, including accessing or deleting files, or stealing session cookies which an attacker could use to hijack a user’s session.
Stored XSS could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including attempting other malicious attacks, which would appear to originate from a legitimate user.
The severity of this vulnerability is considered moderate according to Bugcrowd’s Vulnerability Rating Taxonomy and has been assigned a CVSS 6.1 (medium) rating in the Common Vulnerability Scoring System.
This vulnerability has been found in a penetration test by a security researcher. We have no reports about it being actively exploited.
Versions up to and including 4.0.0 of S/Notify for Confluence must be considered affected.
Disallowing users to upload their own S/MIME certificate will remove the vulnerability from your installation. To do so
navigate to the S/Notify User Key Management administration page
on the S/MIME tab, deselect Allow user uploads
Download and install our fix release 4.0.1 of S/Notify for Confluence.