Update ASAP if you use PlantUML, Refined, Linking, Countdown Timer, or Server Status extensions

Plugins for Confluence workplace collaboration platform vulnerable to XSS exploits

UPDATED Stored cross-site scripting (XSS) vulnerabilities unearthed in a raft of Confluence plugins allow attackers to inject malicious JavaScript code into pages used within the corporate collaboration platform.

Organizations that use the five Confluence plugins in question – PlantUML, Refined, Linking, Countdown Timer, and Server Status – have been urged to update their systems with newly released versions.

Security researchers from SEC Consult have also advised organizations to perform “an in-depth security analysis” since “the plugins may be affected [by] further security issues”, according to a security advisory published by the cybersecurity consultancy.

Privileged positions

However, the flaws’ severity is somewhat limited by the fact that attackers need “a valid account with privileges to use/edit one of the vulnerable plugins on a Confluence page,” Roman Ferdigg and Daniel Teuchert of SEC Consult, who discovered the flaws, told The Daily Swig.

That said, “the victim does not necessarily need a valid account” in order for adversaries to target them, “if the payload is delivered via a public Confluence page.

“If the victim has a valid account and is currently logged into Confluence, an attacker can carry out different actions in the context of the victim and exfiltrate data from Confluence pages and spaces that the victim has access to,” the researchers explained.

But if “the victim is not logged in or doesn't have an account, the attacker can attack the victim with malicious downloads or for example try to get credentials via a phishing login form”.

Affected plugins

The five affected Confluence plugins are maintained by five separate vendors, all of which SEC Consult alerted to the bugs on August 19.

PlantUML, an open source tool for creating UML diagrams from plain text languages, is vulnerable to stored XSS originating in the database information macro. German vendor Avono patched the flaw in version 6.44, which it released on August 25.

The flaw discovered in Refined, a site-building app for Atlassian Jira and Confluence used by more than 4,000 teams, was found in two elements, UI-Image and UI-Button. The eponymous vendor fixed the vulnerability in version 2.2.7, which was issued on August 26.

The developer of Linking, Service Rocket, released version 5.5.7, which remedies a bug in the plugin’s ‘Link in New Window’ macro, on September 20. Linking is used to generate one-click links that create structured content via templates, manage links with multiple resources, and create naming conventions for content.

Akeles Consulting rectified a security flaw in Countdown Timer’s macro in version 1.7.1, which was published on October 6.

Finally, version 1.2.2 of Server Status addresses the vulnerability uncovered in its HTTP status and SMTP status macros. German vendor APTIS issued the updated software on August 31.

SEC Consult has surmised that all earlier versions of the plugins probably contain the stored XSS flaws.

“Companies using Confluence Plugins should be aware that insecure plugins can pose a threat to the Confluence security mechanisms,” said Ferdigg and Teuchert. “Therefore it is important to take security into account when selecting Confluence plugins.”

SEC Consult’s advisory includes proof-of-concepts for each vulnerability.

Developed by Australian software company Atlassian, Confluence is a web-based wiki written in Java.

Collaborative workspaces like Atlassian, which has more than 60,000 customers, have become more salient during the Covid-19 pandemic with much of the world’s ordinarily office-based workforce still working from home.


This article was updated on October 12 with comments from SEC Consult


RELATED Remote working security: Thousands of misconfigured Atlassian instances ripe for unauthorized access