Description

Users can manually subscribe to pages which they are not authorized to view, hence receiving any future comments made on these pages.

Remediation

Upgrade Confluence to version 6.2.1 or above (recommended)

References

SEC Consult Vulnerability Lab Security Advisory 20170613-0

Access Restriction Bypass using watch notifications (CVE-2017-9505)

Related Vulnerabilities

WP Import Export Information Disclosure (3.9.15)

Citrix ADC NetScaler Local File Inclusion (CVE-2020-8193)

XML External Entity Injection via external file

Caldera Forms-More Than Contact Forms Arbitrary File Disclosure (1.8.1)

MiwoFTP-File & Folder Manager Arbitrary File Download (1.0.5)

Severity

Medium

Classification

CVE-2017-9505 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Tags

Information Disclosure