Comala Document Approval Security Advisory 2022-09-28

This advisory discloses a security vulnerability found and fixed in Comala Document Approval.  We recommend upgrading Comala Document Approval to the latest supported version.

Affected Versions

The vulnerability affects all versions of Comala Document Approval up to 1.11.0

The 1.11.1 release contains a fix for the issue mentioned below.

XSS Vulnerabilities

Severity

Comalatech rates the severity of this issue as Medium according to the published Atlassian Security Levels.

We have ranked the vulnerability as Medium because

  • a registered user with edit permissions over pages or blog posts in the application could do the following: 

    • session riding

    • stealing information and cookies

    • creating a phishing page within the domain

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

We have fixed a cross-site scripting vulnerability in Comala Document Approval. The vulnerability could allow a user with edit permission to use another user's session.

Risk Mitigation

We recommend that all users upgrade Comala Document Approval to at least 1.11.1.