From 2020-11-25 to 2020-12-03
We have released multiple versions between 2020-11-25 and 2020-12-03 of External Share for Cloud and Server (latest 2.4.0).
They contain numerous security patches:
External Share for Confluence (Server)
XSS via attachment name on external page
XSS in view links form via user full name
XSS via attached SVG
XSS via attached HTML
Reflected XSS via redirect param on password page
Invalidated Redirect on password page
XSS via space name in global share list
SQL Injection - GET /share (sort / sort order)
BAC | Attachment (media-proxy) - access to already generated media was not revoked after share settings changed
External Share for Confluence (Cloud)
XSS via attachment name on external page
XSS in view links form via user full name
Reflected XSS via redirect param on password page
Invalidated Redirect on password page
XSS via space name in global share list
SQL Injection - GET /share (sort / sort order)
BAC | Attachment (media-proxy) - access to already generated media was not revoked after share settings changed