Description
Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments added to a page after they started watching it even if they do not have permission to view the page itself.
Remediation
References
Related Vulnerabilities
OpenSSL Missing Encryption of Sensitive Data Vulnerability (CVE-2019-1563)
WordPress Plugin Caldera Forms-More Than Contact Forms Cross-Site Scripting (1.4.1)
IBM RTC Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2015-0113)
WordPress Plugin YITH WooCommerce PDF Invoice and Shipping List Security Bypass (1.2.12)