Comalatech Multiple Add-on Security Advisory 2015-04-23
This advisory discloses security vulnerabilities found and fixed in multiple Comalatech Add-ons. We recommend upgrading Comala Add-ons to the latest supported version for your release of Confluence/JIRA.
Affected Add-on | Vulnerable Versions | Fixed Version |
---|---|---|
Comalat Publishing | up to and including 2.4.2 | 2.4.3 |
Canvas for JIRA Server | up to and including 1.4.1 | 1.4.2 |
Canvas for Confluence Server | up to and including 1.7.4 | 1.7.5 |
Comala Workflows - Remote Publishing | up to and including 2.5 | 2.5.1 |
XSS Vulnerabilities
Severity
Comalatech rates the severity of these issues as High according to the published Atlassian Security Levels.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
Description
We have fixed several stored cross site scripting vulnerabilities.
Specific Products Fixed
- Comala Publishing
- Canvas JIRA Server
- Canvas for Confluence Server
Fix
Upgrade the affected add-on to the latest supported version for your Atlassian product instance.
Comala Publishing 2.4.3
Canvas for JIRA Server 1.4.2
Canvas for Confluence Server 1.7.5
XSRF Vulnerabilities
Severity
Comalatech rates the severity of these issues as Medium according to the published Atlassian Security Levels.
This is an independent assessment and you should evaluate its applicability to your own IT environment.
Description
We have updated several actions to prevent cross site request forgery (XSRF) vulnerabilities. These XSRF vulnerabilities could allow an attacker to trick users into unintentionally modifying add-on settings or taking actions if they have specific knowledge of the Atlassian product and add-on configuration.
Specific Products Fixed
- Comala Publishing
- Canvas for Confluence Server
- Comala Workflows - Remote Publishing
Fix
Upgrade the affected add-on to the latest supported version for your Atlassian product instance.
Comala Publishing 2.4.3
Canvas for Confluence Server 1.7.5
Comala Workflows - Remote Publishing 2.5.