Description

Users can manually subscribe to pages which they are not authorized to view, hence receiving any future comments made on these pages.

Remediation

Upgrade Confluence to version 6.2.1 or above (recommended)

References

SEC Consult Vulnerability Lab Security Advisory 20170613-0

Access Restriction Bypass using watch notifications (CVE-2017-9505)

Related Vulnerabilities

VMware Horizon Log4Shell RCE

Joomla! Core Information Disclosure (1.5.0 - 3.7.5)

Drupal Views module information disclosure vulnerability

WordPress Plugin WebP Express Arbitrary File Disclosure (0.14.10)

Joomla! Core 3.x.x Information Disclosure (3.0.0 - 3.9.19)

Severity

Medium

Classification

CVE-2017-9505 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure