XSRF vulnerability in admin screens of EasySSO
Incident Report for TechTime Initiative Group
Update
Fix has been implemented and is undergoing internal testing
Posted Apr 03, 2020 - 18:15 NZDT
Identified
The vulnerability has been confirmed, for all flavours of EasySSO.

The workarounds exist:
1) Use a reverse proxy to check the "Origin" header in a reverse proxy to prevent other websites from making calls to Confluence
2) Use a reverse proxy to enforce that session cookies have the "SameSite=Strict" attribute set. This causes the browser to not send cookies of the authenticated user when requests are triggered by other websites.
Posted Apr 02, 2020 - 13:30 NZDT
Investigating
We have had a report about XSRF vulnerability in the admin screen of EasySSO for Confluence for versions 4.2.14 and earlier.
Credit: Timo Lindfors
Vulnerability rated as: 9.6 (Critical)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:W/RC:C
Posted Apr 01, 2020 - 08:00 NZDT
This incident affected: TechTime Server Apps (EasySSO for Jira Server, EasySSO for Confluence Server, EasySSO for Bitbucket Server, EasySSO for Bamboo Server, EasySSO for Fisheye/Crucible Server) and TechTime Data Center Apps (EasySSO for Bitbucket Data Center, EasySSO for Jira Data Center, EasySSO for Confluence Data Center).