Problem

We were able to identify a security vulnerability in our Linchpin User Profiles app. The vulnerability allows any logged-in user to inject JavaScript code into profile fields of certain types in their own profile, or other profiles which they are permitted to edit. The affected field types are Phone and linked fields, that are configured to use user input in their URLs. This malicious code would then be executed in the viewing user's context and allows to perform all actions in the user's scope. The User Profiles API is not affected by the vulnerability.

The vulnerability has been rated as high (7.3) according to the scale published under the Common Vulnerability Scoring System (CVSS).

This issue was discovered during internal quality assurance on 16.09.2020. As soon as we noticed the issue, we analyzed the codebase for similar vulnerabilities.

All versions of the app Linchpin User Profiles up to and including 2.24.2 are affected by this vulnerability.
All versions of the Linchpin Intranet Suite are affected by this vulnerability, up to and including versions 3.2.2, 3.3.3 and 3.4.1.
All versions of Linchpin Essentials are affected by this vulnerability, up to and including versions 1.2.3 and 1.3.1.

Solution

Depending on the fact whether you use the Linchpin User Profiles app standalone or bundled in Linchpin Essentials or the Linchpin Intranet Suite, there are different paths to get to the right version of the Linchpin User Profiles that closes the gap mentioned.

Linchpin User Profiles

If you are using the Linchpin User Profiles app in one of the affected versions 2.24.2 or earlier, please immediately update to Linchpin User Profiles 2.24.3.

Linchpin Intranet Suite

If you are using profile fields of type Phone or any linked profile field, that has been configured to use user input in its URL in your system, immediately update to a Linchpin Intranet Suite version containing the fix.
Please refer to the table below to determine the appropriate fix version. Should you be unable to update the Linchpin Intranet Suite to one of the listed versions, please reach out to our support team at https://seibert.biz/help.

For versions prior to the 3.2 line, we recommend updating to the latest supported version of the Linchpin Intranet Suite available for your Confluence system.

Important: If you update from Linchpin Intranet Suite 2.0.0 or earlier versions, your system could be affected by a rare bug that causes the installation to hang.
Please follow the description in this article: Installation or update of Linchpin Intranet Suite hangs

1. Restart Confluence (only necessary if the update is already hanging)
2. Uninstall the app "Linchpin User Profiles (Content Responsibility)".
3. Uninstall the app "Linchpin User Profiles".
4. Install the app "Linchpin Intranet Suite" again.

Linchpin Essentials

If you are using profile fields of type Phone or any linked profile field, that has been configured to use user input in its URL in your system, immediately update to a Linchpin Essentials version containing the fix.
Please refer to the table below to determine the appropriate fix version. Should you be unable to update the Linchpin Intranet Suite to one of the listed versions, please reach out to our support team at https://seibert.biz/help.

Root Cause

Due to an error with sanitizing inputs, users editing a profile could potentially inject malicious data into profile fields that would end up in the attributes of the HTML tag. This qualifies as stored cross-site scripting (XSS) vulnerability. The code will then be executed in the viewing user's context and would allow to load additional code from remote sites and run this in the user's context. This also allows for an escalation of privileges.
We have fixed the problematic sanitization routine and implemented additional measures that prevent displaying such potentially harmful field values.

Link to this page: https://seibert.biz/kbsecuritynotice239