2024-03-25 - Security improvement

A security issue was fixed on March, 25th 2024.

Nature of the issue

A security vulnerability was recently identified in Elements Spreadsheet.

• It affected version 1.5.25-AC of Elements Spreadsheet.
• It was rated as moderate as per the Common Vulnerability Scoring System (CVSS), and existed since August, 29th 2023.
• It was brought to our attention by the Atlassian Marketplace Bug Bounty program.

Impact

Based on our investigations, the vulnerability meant that an active user could post comments in Spreadsheet documents on behalf of someone else, by using the Confluence REST API.

This flaw could have enabled a malicious user to forge comments using the identity of other users. Such actions can be used to tarnish someone's reputation or benefit the forger.

To exploit this vulnerability, this user needed to have access to the page where the Spreadsheet document was located, and the process could not be done directly through the Confluence interface, only through an API call. 
Thus, the vulnerability required access and skills, which limited its availability.  We have no evidence that this was done even once by actual users.

Analysis and actions taken

Once we became aware of the issue, we reproduced it and identified the origin of the problem.

Since the primary concern of the vulnerability revolved around the fact that a user could impersonate another user, so we decided to completely remove the author from comments. This means comments will no longer be identified by their author and will be repurposed as sticky notes. Note that it's still possible to add user mentions inside a comment. 

Conclusion

We want you to know that we take security issues very seriously. We are taking measures to make sure this does not occur again for any of our customers.

If you have any questions, please feel free to raise a support request at support.elements-apps.com.