Description

Users can manually subscribe to pages which they are not authorized to view, hence receiving any future comments made on these pages.

Remediation

Upgrade Confluence to version 6.2.1 or above (recommended)

References

SEC Consult Vulnerability Lab Security Advisory 20170613-0

Access Restriction Bypass using watch notifications (CVE-2017-9505)

Related Vulnerabilities

Drupal 7 arbitrary PHP code execution and information disclosure

WordPress Plugin Yoast SEO Information Disclosure (3.2.4)

Backup files

WordPress Plugin SKU Shortlink For WooCommerce Arbitrary File Disclosure (1.3.4)

Drupal Core 7.x Information Disclosure (7.0 - 7.26)

Severity

Medium

Classification

CVE-2017-9505 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Information Disclosure