XSS vulnerability in space key, particularly with decorators off

Type atlassian
Reporter don.willis@atlassian.com
Modified 2019-09-12T07:26:19


{panel:bgColor=#e7f4fa} NOTE: This bug report is for Confluence Server. Using Confluence Cloud? [See the corresponding bug report|http://jira.atlassian.com/browse/CONFCLOUD-20865]. {panel}

As discovered while looking at CONF-20667, Confluence stores the space key unencoded in a content tag. Considerable functionality relies on this content tag. Eg Doc Theme breaks without it. Themes choice breaks without it.

To exploit it, create a user with html in the login name, then create a personal space as that user. Finally, use a decorator=none request param when viewing a page to see the content tags.

There are actually a few places that the space key isn't encoded, so removing the ability to pass "decorator=none" is probably not a complete fix.