Missing Permission Checks in Atlassian Activity Streams Allow Unauthorized Watching and Voting

Missing Permission Checks in Atlassian Activity Streams Allow Unauthorized Watching and Voting

CVE-2017-9513 · MEDIUM Severity

AV:N/AC:L/AU:S/C:P/I:P/A:N

Several rest inline action resources of Atlassian Activity Streams before version 6.3.0 allows remote authenticated attackers to watch any Confluence page & receive notifications when comments are added to the watched page, and vote & watch JIRA issues that they do not have access to, although they will not receive notifications for the issue, via missing permission checks.

Learn more about our Web Application Penetration Testing UK.