The file downloading functionality in the Atlassian Companion App before version 1.0.0 allows remote attackers, who control a Confluence Server instance that the Companion App is connected to, execute arbitrary .exe files via a Protection Mechanism Failure.
h5. Acknowledgements
Credit for finding this vulnerability goes to Johannes Hatting (UFST).
CPE | Name | Operator | Version |
---|---|---|---|
confluence server and data center | le | Companion-Legacy | |
confluence server and data center | lt | 7.3.1 |