Improper Access control inside several rest inline action resource resources - CVE-2017-9513

Description

Several rest inline action resources of Atlassian Activity Streams before version 6.3.0 allows remote authenticated attackers to watch any Confluence page & receive notifications when comments are added to the watched page, and vote & watch JIRA issues that they do not have access to, although they will not receive notifications for the issue, via missing permission checks.

Environment

None

Testing Notes

Add notes...

Status

Assignee

Unassigned

Reporter

SecurityB

Add-on Type

None

Team

None

CC

None

Risk factor

None

QA Kickoff Status

None

QA Demo Status

None

Components

Fix versions

Priority

Major