Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Atlassian Confluence 3.0 Cross Site Request Forgery

🗓️ 25 Sep 2012 00:00:00Reported by Robert GilbertType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 52 Views

Multiple CSRF vulnerabilities in Atlassian Confluence 3.0 and below allow remote attackers to execute actions on behalf of legitimate users by adding malicious images in comments

Related
Code
ReporterTitlePublishedViews
Family
Atlassian		logout.action is not protected against XSRF - CVE-2012-6342
27 Jun 201123:56
atlassian
Atlassian		logout.action is not protected against XSRF - CVE-2012-6342
27 Jun 201123:56
atlassian
CVE		CVE-2012-6342
13 May 201414:00
cve
Cvelist		CVE-2012-6342
13 May 201414:00
cvelist
EUVD		EUVD-2012-6197
7 Oct 202500:30
euvd
NVD		CVE-2012-6342
13 May 201414:55
nvd
Prion		Cross site request forgery (csrf)
13 May 201414:55
prion
`Product: Confluence  
Vendor: Atlassian  
Version: 3.0 / Current  
Tested Version: 3.4.6  
Vendor Notified Date: June 31, 2011  
Release Date: September 19, 2012  
Risk: Medium  
Authentication: Depends on configuration.  
Remote: Yes  
  
Description:   
Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Confluence 3.0 and below allow remote attackers to submit actions on their behalf. Newer versions may also be vulnerable.  
Pages that allow a potential attacker to add images (such as in the comments sections) allow CSRF. By not properly checking each URL, an attacker can execute requests on behalf of a legitimate user.   
As a proof-of-concept, a comment is added to a page which includes the logout URL inside the wiki markup image tags. Whenever anyone visits that page they are automatically logged out because the page attempts to load the image and executes the 'src=url'. This comment can be added to anyone's profile, which would force them to be logged out the moment they login. This can be used for more complex attacks too but going beyond the POC was not necessary.  
  
Exploit POC:  
1. Add comment.  
2. !http://pwndshop.com/logout.action|border=1!  
  
Vendor Notified: Yes  
Vendor Response: Requested time to resolve.  
Vendor Update: 1.5 years later, marked as "Resolution: Won't Fix"  
  
Reference:   
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)  
  
Credit:  
Robert Gilbert  
Senior Consultant  
HALOCK Security Labs, Purpose Driven Security(tm)  
rgilbert [-at-] halock [-dot-] com   
http://www.halock.com  
http://blog.halock.com  
  
  
Note: This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, and/or confidential. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone and delete this message immediately.  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Sep 2012 00:00Current
6.7Medium risk
Vulners AI Score6.7
EPSS0.0018
atlassian confluencecross-site request forgeryremote attackcsrf vulnerabilitiesimage tag exploit
52