CVE-2022-26138 - Hardcoded credentials
Original CVE data
The Atlassian Questions For Confluence app for Confluence Server and Data Center creates a Confluence user account in the confluence-users group with the username disabledsystemuser and a hardcoded password. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access all content accessible to users in the confluence-users group. This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.
Atlassian - (1)
Common vulnerability metrics
Vulnerability weakness type is in the top 25 CWEs according to MITRE. View Mitre Top 25 CWEs
Exploits are available either through exploit packs, Github repos or the world wide web in general.
Vulnerability is referenced under CISA's Known Exploited Vulnerabilities (KEV) catalog. See the KEV Catalog
No sightings of the vulnerability within threat reports.
How the vulnerability maps against various cybersecurity frameworks
How the submited vulnerability affects compliance
Web Application Security Frameworks
Applicable if the issue likely affects a web application