Problem

We were able to identify a security vulnerability in our Linchpin User Profiles app. The vulnerability allows any logged-in user to inject JavaScript code into profile fields of certain types in their own profile (or other profiles which they are permitted to edit), provided more than one option had been selected. This malicious code would then be executed in the viewing user's context and allows to perform all actions in the user's scope. The User Profiles API is not affected by the vulnerability.

The vulnerability has been rated as high (7.3) according to the scale published under the Common Vulnerability Scoring System (CVSS).

This issue was discovered during internal quality assurance on 04.09.2020. As soon as we noticed the issue, we analyzed the codebase for similar vulnerabilities.

All versions of the app Linchpin User Profiles up to and including 2.24.1 are affected by this vulnerability.
All versions of the Linchpin Intranet Suite are affected by this vulnerability, up to and including versions 3.2.1, 3.3.2 and 3.4.0.
All versions of Linchpin Essentials are affected by this vulnerability, up to and including versions 1.2.2 and 1.3.0.

Solution

Depending on the fact whether you use Linchpin Essentials, the Linchpin User Profiles app or the Linchpin Intranet Suite, there are different steps to perform to solve this issue.

Linchpin User Profiles

If you are using the Linchpin User Profiles app in one of the affected versions 2.24.1 or earlier, please immediately update to Linchpin User Profiles 2.24.2.

Linchpin Intranet Suite

If you are using profile fields of type Multi select, Language select, or Country select in your system, immediately update to a Linchpin Intranet Suite version containing the fix.
Please refer to the table below to determine the appropriate fix version. Should you be unable to update the Linchpin Intranet Suite to one of the listed versions, please reach out to our support team at https://seibert.biz/help.

For versions prior to the 3.2 line, we recommend updating to the latest supported version of the Linchpin Intranet Suite available for your Confluence system.

Important: If you update from Linchpin Intranet Suite 2.0.0 or earlier versions, your system could be affected by a rare bug that causes the installation to hang.
Please follow the description in this article: Installation or update of Linchpin Intranet Suite hangs

1. Restart Confluence (only necessary if the update is already hanging)
2. Uninstall the app "Linchpin User Profiles (Content Responsibility)".
3. Uninstall the app "Linchpin User Profiles".
4. Install the app "Linchpin Intranet Suite" again.

Linchpin Essentials

If you are using profile fields of type Multi select, Language select, or Country select in your system, immediately update to a Linchpin Essentials version containing the fix.
Please refer to the table below to determine the appropriate fix version. Should you be unable to update the Linchpin Intranet Suite to one of the listed versions, please reach out to our support team at https://seibert.biz/help.

Root Cause

Due to an error with sanitizing input from multi-select fields with multiple selected values, users editing a profile could potentially inject malicious data into profile fields that would bypass validation. This qualifies as stored cross-site scripting (XSS) vulnerability. The code will then be executed in the viewing user's context and would allow to load additional code from remote sites and run this in the user's context. This also allows for an escalation of privileges.
We have fixed the problematic sanitization routine and implemented additional measures that prevent displaying such potentially harmful field values.