Disclosure of Vulnerabilities

Prior to version 4.6 it was possible to send a special email to Confluence. When a user would reply to that email with the reply by comment feature or would share that page using the Email-Button possibly confidential data could be sent to the recipient of that email as attachments. The attack works by including image tags that link to non public resources in the Rest api. Because these files are not images but json files the images would be displayed as broken images. However when sharing the page the inline images feature would download the data from the rest api and attach the data as attachments.


Reporter: This bug has been reported through our bug bounty campaign.
CVSS-Score: 5.3: (Medium) CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Real world usage: No usage of this security bug has been reported.The attack requires some level of social engineering to solicit a reply to the original email.

Fix: If you're running a version of mailto.wiki older than 4.6 and you have sending emails enabled, please update.

Prior to version 2.2 (released 2021-12-08) it was possible to save the configuration on the configuration page as a non-admin.

Any authenticated confluence user (no special privileges required) was able to update and read the configuration of mailto.wiki through the rest api. The IMAP/Pop3 password was not readable.

Reporter: This bug has been reported through our bug bounty campaign.
CVSS-Score: 4.3: (Medium) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Real world usage: No usage of this security bug has been reported.

Fix: This has been fixed in version 2.2 if you run an older version of mailto.wiki please update.

Prior to 2022-12-13 it was possible to modify an attachment of a page in such a way that when the page was shared as an email (via the email button or the scheduler) privileged information could be included in that email through accessing the rest api. This attacks requires a user with permission to edit pages that needs to trick a user with higher privileges (such as an admin) to share that pages as an email with them. The include attachments option needs to be activated when sharing the email.

Reporter: This bug has been reported through our bug bounty campaign.
CVSS-Score: 4.8: (Medium) CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

Real world usage: No usage of this security bug has been reported. The attack requires some level of social engineering to trick a user with higher privileges to share the page as email. Although this becomes slightly more likely with the scheduler feature added a week prior to the discovery of this bug. This attack can also only be exploited by users with edit or create page privileges and usually leaves a lot of traces. This all makes real world exploitation unlikely.

Fix: This has been automatically fixed for all cloud users on 2022-12-13. No update is required.

Prior to 2022-11-17 it was possible to send a special email to Confluence. When a user would reply to that email with the reply by comment feature or would share that page using the Email-Button possibly confidential data could be sent to the recipient of that email as attachments. The attack works by including image tags that link to non public resources in the Rest api. Because these files are not images but json files the images would be displayed as broken images. However when sharing the page the inline images feature would download the data from the rest api and attach the data as attachments.

Reporter: This bug has been reported through our bug bounty campaign.
CVSS-Score: 5.3: (Medium) CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Real world usage: No usage of this security bug has been reported.The attack requires some level of social engineering to solicit a reply to the original email.

Fix: This has been automatically fixed for all cloud users on 2022-11-17. No update is required.

Prior to 2022-11-17 it was possible to bypass the attachment filter to some degree. The Atlassian cdn delivers txt files and other files as HTML if they start with <html. Other mime types are also guessed. As a result it was possible to disguise HTML and other potential dangerous files as images, text files or other harmless files. Attachments still had to clear the anti virus scan. JavaScript contained in html files in attachments was executed (when opened in the browser) but ran in a different scope than Confluence so XSS was not possible.

Reporter: This bug has been reported through our bug bounty campaign.
CVSS-Score: 0.0: (Low) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N

Real world usage: No usage of this security bug has been reported. Since XSS is not possible the danger is not much more than that of visiting unknown websites. As the attachments can seem to come from a trusted source (the company internal wiki) there is some risk of this being used as a gateway for social engineering attacks.

Fix: This has been automatically fixed for all cloud users on 2022-11-17. No update is required. To fix this issue files are now zipped if Confluence delivers them with a forbidden mime type.

Prior to 2022-01-11 it was possible for users that previously had admin rights to edit the configuration after their rights had been revoked. This was possible for 24 hours and only if they still had a valid session cookie (for example had the configuration page open in a tab/window).

Reporter: This bug has been reported through our bug bounty campaign.
CVSS-Score: 2.7: (Low) CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Real world usage: No usage of this security bug has been reported. Given the very high level of trust previously required and the limited time frame 24h, it seems unlikely anybody has used this.

Fix: This has been automatically fixed for all cloud users on 2022-01-11. No update is required.