The version of the bundled Atlassian Activity Streams plugin was vulnerable to Improper Access control. This allowed remote authenticated attackers to watch any Confluence page & receive notifications when comments are added to the watched page, and vote & watch JIRA issues that they do not have access to, although they will not receive notifications for the issue, via missing permission checks. More information about the Atlassian Activity Stream plugin issue see https://ecosystem.atlassian.net/browse/STRM-2350 .