CVE-2023-22504 (confluence_server)

Affected versions of Atlassian Confluence Server allow remote attackers who have read permissions to a page, but not write permissions, to upload attachments via a Broken Access Control vulnerability in the attachments feature.

The affected versions are before version 7.19.9.

This vulnerability was discovered by Rojan Rijal of the Tinder Security Engineering Team.

access access control atlassian atlassian confluence atlassian confluence server attachments attackers broken access control confluence confluence server control cve engineering permissions security security engineering server team tinder upload version vulnerability