CVE-2023-22504

MEDIUM severity · CVSS 6.5 · Unrestricted file upload

6.5CVSS MEDIUM

Summary

Affected versions of Atlassian Confluence Server allow remote attackers who have read permissions to a page, but not write permissions, to upload attachments via a Broken Access Control vulnerability in the attachments feature.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredLow

User interactionNone

Confidentiality impactNone

Integrity impactHigh

Availability impactNone

Exploit probability (EPSS)0%

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Affected products we track (1)

Atlassian Confluence

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
https://jira.atlassian.com/browse/CONFSERVER-83218Advisory
https://jira.atlassian.com/browse/CONFSERVER-83218Advisory