Security Patches

From 2020-11-25 to 2020-12-02

We have released multiple versions of External Share for Cloud and Server (2.4.0).

They contain numerous security patches:

External Share for Confluence (Server)

• XSS via attachment name on external page

• XSS in view links form via user full name

• XSS via attached SVG

• XSS via attached HTML

• Reflected XSS via redirect param on password page

• Invalidated Redirect on password page

• XSS via space name in global share list

• SQL Injection - GET /share (sort / sort order)

External Share for Confluence (Cloud)

• XSS via attachment name on external page

• XSS in view links form via user full name

• Reflected XSS via redirect param on password page

• Invalidated Redirect on password page

• XSS via space name in global share list

• SQL Injection - GET /share (sort / sort order)