Permission check missing in SpaceUnZip actions
Incident Report for TechTime Initiative Group
This incident has been resolved.
Posted Apr 14, 2020 - 14:48 NZST
New version 1.1.5 has been released to Atlassian Marketplace:
Posted Apr 14, 2020 - 14:47 NZST
We have confirmed a vulnerability exists. The only way to mitigate the vulnerability for now is to disable SpaceUnZip system-wide.

Credit: Ioannis Oikonomou
Vulnerability rated as: 3.4 (Low)
Posted Apr 09, 2020 - 10:00 NZST
We received a report that a user who has read-only access to a space is able to click on SpaceUnZip link in attachments and unzip files within the space, thus creating new pages.
Posted Apr 09, 2020 - 07:45 NZST
This incident affected: TechTime Server Apps (SpaceUnZip for Confluence Server).