We have confirmed a vulnerability exists. The only way to mitigate the vulnerability for now is to disable SpaceUnZip system-wide.
Credit: Ioannis Oikonomou Vulnerability rated as: 3.4 (Low) Vector: AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:F/RL:U/RC:C
Posted Apr 09, 2020 - 10:00 NZST
Investigating
We received a report that a user who has read-only access to a space is able to click on SpaceUnZip link in attachments and unzip files within the space, thus creating new pages.
Posted Apr 09, 2020 - 07:45 NZST
This incident affected: TechTime Server Apps (SpaceUnZip for Confluence Server).