Description

Users can manually subscribe to pages which they are not authorized to view, hence receiving any future comments made on these pages.

Remediation

Upgrade Confluence to version 6.2.1 or above (recommended)

References

SEC Consult Vulnerability Lab Security Advisory 20170613-0

Access Restriction Bypass using watch notifications (CVE-2017-9505)

Related Vulnerabilities

web.xml configuration file disclosure

Zend framework configuration file information disclosure

WordPress Plugin Simple File Downloader Cross-Site Scripting (1.0.4)

Jenkins weak password

Oracle E-Business Suite iStore open user registration

Severity

Medium

Classification

CVE-2017-9505 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure