Versions Compared

Old Version 3

changes.mady.by.user Krzysztof Bogdan

Saved on

compared with

New Version Current

changes.mady.by.user Old Street Apps

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Include Page
_Header
_Header

Security Patches from 2020-11-25 to 2020-12-03

External Share for Confluence is part of the Atlassian Marketplace Bug Bounty program.

Info

A bug bounty program is one of the most powerful post-production tools you can implement to help detect vulnerabilities in your applications and services. Crowdsourcing vulnerability discovery augments the skills of your team by providing access to a skilled pool of security researchers.

The Atlassian Marketplace Bug Bounty Program is hosted on Bugcrowd, a SaaS platform built to crowdsource vulnerability discovery from a global pool of talented security researchers. Marketplace Partners who join this program allow the security researchers to test their applications for security vulnerabilities who are then rewarded based on severity of the vulnerability discovered. The result is a cost efficient solution for Marketplace Partners to discover and fix vulnerabilities in their apps on an ongoing basis which results in more secure apps for customers.

Marketplace apps that are currently participatingĀ in the Marketplace Bug Bounty Program are identifiable by the security badge on their Marketplace app listing. For more information on how the Marketplace Bug Bounty Program is run, please review the information on ourĀ Developer page.

We have released multiple versions between 2020-11-25 and 2020-12-03 of External Share for Cloud and Server (latest .

Fix Versions

  • External Share for Confluence Cloud 1.2.0-AC

  • External Share for Confluence Server 2.4.0

...

  • External Share for Confluence Data Center 2.4.0

They contain numerous security patches for the following topics:

External Share for Confluence (Server & Data Center)

  • XSS via attachment name on external page

  • XSS in view links form via user full name

  • XSS via attached SVG

  • XSS via attached HTML

  • Reflected XSS via redirect param on password page

  • Invalidated Redirect on password page

  • XSS via space name in global share list

  • SQL Injection - GET /share (sort / sort order)

  • BAC | Attachment (media-proxy) - access to already generated media was not revoked after share settings changed

External Share for Confluence (Cloud)

  • XSS via attachment name on external page

  • XSS in view links form via user full name

  • Reflected XSS via redirect param on password page

  • Invalidated Redirect on password page

  • XSS via space name in global share list

  • SQL Injection - GET /share (sort / sort order)

  • BAC | Attachment (media-proxy) - access to already generated media was not revoked after share settings changed

If you have any questions or would like to know more about any of the issues patched please contact us: support@oldstreetsolutions.com

Include Page
INFO:_Hidden_Standard_Footer
INFO:_Hidden_Standard_Footer