XSRF vulnerability in admin screens of EasySSO
Incident Report for TechTime Initiative Group
Update
Fix has been implemented and is undergoing internal testing
Posted Apr 03, 2020 - 18:15 NZDT
Identified
The vulnerability has been confirmed, for all flavours of EasySSO.

The workarounds exist:
1) Use a reverse proxy to check the "Origin" header in a reverse proxy to prevent other websites from making calls to Confluence
2) Use a reverse proxy to enforce that session cookies have the "SameSite=Strict" attribute set. This causes the browser to not send cookies of the authenticated user when requests are triggered by other websites.
Posted Apr 02, 2020 - 13:30 NZDT
Investigating
We have had a report about XSRF vulnerability in the admin screen of EasySSO for Confluence for versions 4.2.14 and earlier.
Credit: Timo Lindfors
Vulnerability rated as: 9.6 (Critical)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:F/RL:W/RC:C
Posted Apr 01, 2020 - 08:00 NZDT
This incident affected: TechTime Data Center Apps (EasySSO for Bitbucket Data Center, EasySSO for Jira Data Center, EasySSO for Confluence Data Center) and TechTime Server Apps (EasySSO for Jira Server, EasySSO for Confluence Server, EasySSO for Bitbucket Server, EasySSO for Bamboo Server, EasySSO for Fisheye/Crucible Server).