admin/dev/usermacros.jsp lacks an XSRF token to add and remove user macros from Confluence.

2012-04-19T01:27:40
ID ATLASSIAN:CONF-25267
Type atlassian
Reporter dblack
Modified 2017-02-17T05:23:55

Description

admin/dev/usermacros.jsp does not require a csrf token to add and remove user macros from Confluence.

This could allow an attacker to introduce a malicious user macro (with 'bad' html and or javascript) into a confluence instance through a csrf attack on an admin user.