This site has moved to the integrated Appfire documentation and information site for our apps.

From February 2024 this site is no longer updated.

Take a look here! If you have any questions please email support@appfire.com

Comalatech Multiple Add-on Security Advisory 2015-04-23

Overview

Remote Publishing Only

This advisory concerns the Comala Workflows - Remote Publishing app.

It is not applicable to main Comala Workflows app.

This advisory discloses security vulnerabilities found and fixed in multiple Comalatech Add-ons.  We recommend upgrading Comala Add-ons to the latest supported version for your release of Confluence/JIRA.


Affected Add-onVulnerable VersionsFixed Version
Comala Publishingup to and including 2.4.22.4.3
Canvas for JIRA Serverup to and including 1.4.11.4.2
Canvas for Confluence Serverup to and including 1.7.41.7.5
Comala Document Management - Remote Publishingup to and including 2.52.5.1


XSS Vulnerabilities

Severity

Comalatech rates the severity of these issues as High according to the published Atlassian Security Levels.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

We have fixed several stored cross site scripting vulnerabilities.

Specific Products Fixed

  • Comala Publishing
  • Canvas JIRA Server
  • Canvas for Confluence Server

Fix

Upgrade the affected add-on to the latest supported version for your Atlassian product instance.

Comala Publishing 2.4.3

Canvas for JIRA Server 1.4.2

Canvas for Confluence Server 1.7.5


XSRF Vulnerabilities

Severity

Comalatech rates the severity of these issues as Medium according to the published Atlassian Security Levels.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

Description

We have updated several actions to prevent cross site request forgery (XSRF) vulnerabilities.  These XSRF vulnerabilities could allow an attacker to trick users into unintentionally modifying add-on settings or taking actions if they have specific knowledge of the Atlassian product and add-on configuration.

Specific Products Fixed

  • Comala Publishing
  • Canvas for Confluence Server
  • Comala Workflows - Remote Publishing

Fix

Upgrade the affected add-on to the latest supported version for your Atlassian product instance.

Comala Publishing 2.4.3

Canvas for Confluence Server 1.7.5

Comala Workflows - Remote Publishing 2.5.