-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: FAB-2019-00157
Product: Live Input Macros
Manufacturer: Old Street Solutions
Affected Version(s): 2.10 and before
Tested Version(s): 2.10
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: High
CVSS v3.0: 7.6
Vektor String: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:H
Vendor Homepage: https://www.oldstreetsolutions.com/
Software Link: https://marketplace.atlassian.com/apps/1215287/live-input-macros
Solution Status: Reported
Manufacturer Notification: 2019-08-19
Solution Date: 2019-08-20
Public Disclosure: 2019-08-20
CVE Reference: CVE-2019-15233
Author of Advisory: Francesco Emanuel Bennici, FABMation GmbH


Description
===========

Live Input Macros gives Users the possibility to add checkboxes, radio buttons,
dropdown lists and more to your Confluence pages and make changes without
editing the page.

An attacker can execute JavaScript Code on the Confluence Site if a User
adds the malicous Code.

This can be used to steal the Session Cookie of an (eg.) Administrator (Session
Hijacking).

Found by Francesco Emanuel Bennici of FABMation GmbH.


Proof of Concept (PoC)
======================

Create a new Macro ('+' -> Other Macros -> 'Live:Text Box'). Enter a random
Unique ID and set the "Content Format" to "HTML".
Now enter this Text in the Text Box field:
```html
Hello World this is my Text Box </p> </div>





alksdfjlkasdjflkj </p> " <br/> <style/onload=alert(document.cookie)> <br/> " <p> asdasd





This ends not with TAG!! 
```

The JS Script Code from `<style/onload=alert(document.cookie)>` will be executed on Page Load.


Solution
========

Search for Text with the following Regex: <.*(\/?).*>
And replace all the selected Text with ''.


Disclosure Timeline
===================

2019-08-19: Vulnerability discovered
2019-08-19: Vulnerability reported to manufacturer
2019-08-20: Vendor released Security Update
2019-08-20: Public disclosure


References
==========

- - EXPLOIT: https://github.com/l0nax/CVE-2019-15233

Credits
=======

This security vulnerability was found by Francesco Emanuel Bennici of FABMation GmbH.

E-Mail: eb@fabmation.de
Public Key: https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x17FA2D56BAD01661
Key ID: 0x17FA2D56BAD01661
Key Fingerprint: B643 49C6 B652 CD12 C03F  DACD 17FA 2D56 BAD0 1661


Copyright
=========

Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtkNJxrZSzRLAP9rNF/otVrrQFmEFAl1b8+8ACgkQF/otVrrQ
FmE5hA//UAbnYTEcfY8QWCcYi+gzi22vtvFjjncWBvDrmKVCg+Lv4oWfriqPAMew
cFQvKOuZNwMZfrrkWf3VzXvsBXqFpVAD/dEZH3sedZVo4H4qMP1usJkfJFohk8rQ
PdXo5kpAKb6B+mwNeLzPU3KY8Xfwgs4vwRiSFvWNvteTQ64jDtQ/Bl25GgPrQK7L
6ttCeomzoGdEyP7igsCUT0tpbA41fJhIyO2dttWUbjeB+FrdZP/tWhbKhUkG5l5T
KuR7dfSmVD3vfnnG7ThkUjgll69lH/Mr2r00QcOyp9Bds5d0V31hFA9r/6VZVOOt
txxaGKLqZY6a4Yr0kXLI2V8eJxJH1wxOEyQSVFsr6pTlnazar0F6iVwUFlgE/0Yf
zS/a/qb+4XslJkcoLLxK+ieNcMlTnXhbxo41ZNcyJfMB7ijzsguktO4P3hr0TEVZ
UjKsDmytIaF7t+7B7+OLXVzGNakZ/X1uFp8sOm6V6jIJ8cYCPpVSJh+ulHVqak9n
2leP4i5rSL9JYdXVoC2Q8RfpZ6u4Iyrw72mpIZM2eUNTO7M0fqOmbWvrgXPiYNjN
lCp7VClhWZjaUuD91LvZ9/Ta4f6+F60G4Z9iuMY5WOYMQz3UpzJmx2ZhX7QQfyJT
PZJztQ/4/dcyjDQLTR/zUXs6puavTeHFTbDL1CVRJr7qlTudcZg=
=3RIQ
-----END PGP SIGNATURE-----