Comalatech Multiple Add-on Security Advisory 2015-04-23

This advisory discloses security vulnerabilities found and fixed in multiple Comalatech Add-ons.  We recommend upgrading Comala Add-ons to the latest supported version for your release of Confluence/JIRA.

 

Affected Add-onVulnerable VersionsFixed Version
Comalat Publishingup to and including 2.4.22.4.3
Canvas for JIRA Serverup to and including 1.4.11.4.2
Canvas for Confluence Serverup to and including 1.7.41.7.5
Comala Workflows - Remote Publishingup to and including 2.52.5.1

 

XSS Vulnerabilities

Severity

Comalatech rates the severity of these issues as High according to the published Atlassian Security Levels.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

We have fixed several stored cross site scripting vulnerabilities.

Specific Products Fixed

  • Comala Publishing
  • Canvas JIRA Server
  • Canvas for Confluence Server

Fix

Upgrade the affected add-on to the latest supported version for your Atlassian product instance.

Comala Publishing 2.4.3

Canvas for JIRA Server 1.4.2

Canvas for Confluence Server 1.7.5

 

XSRF Vulnerabilities

Severity

Comalatech rates the severity of these issues as Medium according to the published Atlassian Security Levels.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

We have updated several actions to prevent cross site request forgery (XSRF) vulnerabilities.  These XSRF vulnerabilities could allow an attacker to trick users into unintentionally modifying add-on settings or taking actions if they have specific knowledge of the Atlassian product and add-on configuration.

Specific Products Fixed

  • Comala Publishing
  • Canvas for Confluence Server
  • Comala Workflows - Remote Publishing

Fix

Upgrade the affected add-on to the latest supported version for your Atlassian product instance.

Comala Publishing 2.4.3

Canvas for Confluence Server 1.7.5

Comala Workflows - Remote Publishing 2.5.