We wish to advise our customers of a cross-site scripting (XSS) vulnerability that affects the UI Button macro and UI Image macro macros. Affected versions are Refined Toolkit for Confluence Server 1.0 - 2.2.5.
Risk Assessment
The vulnerability allows an attacker to inject scripts that are run when the button is clicked. The attacker needs to have permission to add or edit Confluence pages or blog posts in order to exploit the vulnerability.
If you have any questions regarding this matter please contact us at support@refined.com.
Fixed Versions
This issue is resolved and released in version: Version 2.2.7. We strongly recommend you update to this version as soon as possible.
We'd like to thank Daniel Teuchert and Roman Ferdigg (discovery, analysis, coordination) from the SEC Consult Vulnerability Lab for responsibly reporting the identified issue and working with us as we addressed it.