| ITEM | Comment |
|---|---|
| Software | EasyMind – Mind Maps for Confluence |
| Vendor | MoroSystems, s.r.o |
| Version | < 2.15.0 |
| Type of Issue | Cross-Site Scripting |
| CWE | https://cwe.mitre.org/data/definitions/79.html |
| CVE | CVE-2023-30452 |
| OWASP | Testing for Stored Cross Site Scripting |
| Roles affected | All |
| CVSS | High – 8.5 |
| Credits | Sven Schlüter & Thore Imhof from Y-Security |
Summary
The plugin EasyMind – Mind Maps for Confluence allows the creation of Mind Maps and Graphics in Confluence that can be shared with other team members. It was possible to embed JavaScript within a Mind Map that would be executed as soon as someone clicked on it.
Mitigation & Recommendation
The vulnerability has been fixed in version 2.15.0, although it is not mentioned explicitly which security vulnerabilities were fixed with this patch.
It is recommended to upgrade the plugin to the latest version, which fixes this vulnerability. We confirmed that our initial exploit payload no longer works, however no extensive analysis of the patch was done from our side.
We closely follow the OWASP Guidelines when performing penetration tests and we recommend following the Cross-Site Scripting Prevention Cheat Sheet to successfully mitigate Cross-Site Scripting vulnerabilities.
Disclosure Policy
At Y-Security we take security vulnerabilities seriously and follow a responsible disclosure policy. The 90-day disclosure deadline was exceeded and therefore we decided to disclosure the vulnerability after a fix had been released.
Disclosure Timeline
| DATE | COMMENT |
|---|---|
| 04.11.2022 | Y-Security discovered security vulnerability & communicated to client |
| 22.12.2022 | Y-Security reported issue to Atlassian Bugcrowd Program |
| 24.12.2022 | Bugcrowd opened bug |
| 04.01.2023 | Bugcrowd requested addiotional information |
| 04.01.2023 | Y-Security provided neccessary information |
| 04.01.2023 | Bugcrowd reproduced & acknowledged issue |
| 13.01.2023 | Bugcrowd forwarded issue to Product Owner |
| 16.01.2023 | Y-Security requested CVE via Bugcrowd |
| 30.01.2023 | Y-Security requested update |
| 01.02.2023 | Bugcrowd declined CVE Request |
| 23.02.2023 | MoroSystems released fix |
| 01.03.2023 | Y-Security reminded Bugcrowd of disclosure date |
| 13.03.2023 | Y-Security requested statement regarding Fix |
| 04.04.2023 | Y-Security requested update with no response |
| 10.04.2023 | CVE assigned (CVE-2023-30452) |
| 11.04.2023 | Y-Security informed Bugcrowd of assigned CVE |
| 16.05.2023 | Y-Security disclosed CVE-2023-30452 |
Author
Thore Imhof
thore@y-security.de
Y-Security GmbH
16. May 2023