Medium severity4.3NVD Advisory· Published Jun 15, 2017· Updated May 13, 2026

CVE-2017-9505

Description

Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if a user had permission to view a page when creating a workbox notification about new comments. An attacker who can login to Confluence could receive workbox notifications, which contain the content of comments, for comments added to a page after they started watching it even if they do not have permission to view the page itself.

Affected products

Atlassian/Confluence
cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*
Range: >=4.3,<6.2.1
Atlassian/Confluence Serverv5
Range: Versions of Confluence starting with 4.3.0 before 6.2.1 are affected by this vulnerability.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170613-0_Atlassian_Confluence_Access_Restriction_Bypass_v10.txtnvdExploitMitigationThird Party Advisory
www.securityfocus.com/bid/99086nvdThird Party AdvisoryVDB Entry
jira.atlassian.com/browse/CONFSERVER-52560nvdMitigationVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000