Atlassian Confluence Server Remote Attachment Upload via BAC
CVE-2023-22504 Published on May 25, 2023
Affected versions of Atlassian Confluence Server allow remote attackers who have read permissions to a page, but not write permissions, to upload attachments via a Broken Access Control vulnerability in the attachments feature.
Products Associated with CVE-2023-22504
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-22504 are published in Atlassian Confluence:
Affected Versions
Atlassian Confluence Data Center:- Version < 1.1.2 is unaffected.
- Version >= 1.1.2 is affected.
- Version >= 7.14.0 is affected.
- Version >= 7.20.0 is affected.
- Version >= 7.13.7 is unaffected.
- Version >= 7.19.9 is unaffected.
- Version >= 8.2.2 is unaffected.
- Version >= 8.3.0 is unaffected.
- Version < 1.1.2 is unaffected.
- Version >= 1.1.2 is affected.
- Version >= 7.14.0 is affected.
- Version >= 7.20.0 is affected.
- Version >= 7.13.7 is unaffected.
- Version >= 7.19.9 is unaffected.
- Version >= 8.2.2 is unaffected.
- Version >= 8.3.0 is unaffected.
Exploit Probability
EPSS
0.19%
Percentile
40.28%
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.