Page Comparison

From 2020-11-25 to 2020-12-

...

03

We have released multiple versions between 2020-11-25 and 2020-12-03 of External Share for Cloud and Server (latest 2.4.0).

They contain numerous security patches:

...

• XSS via attachment name on external page

• XSS in view links form via user full name

• XSS via attached SVG

• XSS via attached HTML

• Reflected XSS via redirect param on password page

• Invalidated Redirect on password page

• XSS via space name in global share list

• SQL Injection - GET /share (sort / sort order)

• BAC | Attachment (media-proxy) - access to already generated media was not revoked after share settings changed

External Share for Confluence (Cloud)

• XSS via attachment name on external page

• XSS in view links form via user full name

• Reflected XSS via redirect param on password page

• Invalidated Redirect on password page

• XSS via space name in global share list

• SQL Injection - GET /share (sort / sort order)

• BAC | Attachment (media-proxy) - access to already generated media was not revoked after share settings changed