The Atlassian Questions For Confluence app for Confluence Server and Data Center
creates a Confluence user account in the confluence-users group with
the username disabledsystemuser and a hardcoded password. A remote,
unauthenticated attacker with knowledge of the hardcoded password could
exploit this to log into Confluence and access all content accessible
to users in the confluence-users group.
This user account is created when installing versions 2.7.34, 2.7.35, and 3.0.2 of the app.
Hardcoded Credentials:
- User:
disabledsystemuser
- Password:
disabled1system1user6708
The hardcoded credential were plainly laying inside the jar files of the affected plugin
https://packages.atlassian.com/maven-atlassian-external/com/atlassian/confluence/plugins/confluence-questions/3.0.2/confluence-questions-3.0.2.jar