A security vulnerability was recently identified and fixed in Elements Spreadsheet. Here are the details about the issue, its impact and the analysis and actions taken.

Nature of the issue

The vulnerability affected version 1.4.73-AC of Elements Spreadsheet.
The vulnerability meant that someone could catch a request and modify the payload (URL of a link) to inject runnable Javascript that would then execute in the browser when clicking the link on Confluence view mode.
This vulnerability has been rated as low, according to the scale published on the Common Vulnerability Scoring System (CVSS).
The vulnerability was brought to our notice by the Bug Bounty Program on 19 Nov 2021 .

Impact

Based on our investigations, the vulnerability has not been exploited.

Analysis and actions taken

Once we were aware of the issue, we first confirmed that we could reproduce it. A plan was then elaborated by the IT team to analyse the situation, provide a fix for the issue and deploy it as quickly as possible.
Our investigations revealed that the problem was caused by the acceptance of javascript (such as “javascript:alert(1)”) when catching and modifying the request enabling to save a spreadsheet document.

We added a sanitizer from a third party library to prevent XSS attacks.

Deployment of the fixed version was conducted by following the usual CI procedure on 28 Jan 2022 .
On top of the automatic tests, we made another series of tests to ensure that the problem was fixed in production.

Conclusion

We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for our customers.
If you have any questions, please feel free to raise a support request at support.elements-apps.com referencing "SSC-2496".