The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group.
Uninstalling the Questions for Confluence app does not remediate this vulnerability. The account does not automatically get removed after the app has been uninstalled.
No source data
Vendor | Product | Version |
---|---|---|
a | atlassian | confluence |