In Atlassian Confluence Server the Widget Connector macro before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x), and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x), allows remote attackers to gain path traversal and remote code execution on the download all attachments resource in Confluence Server or Data Center instance via server-side template injection. A remote attacker who has permission to add attachments to pages and/or blogs or to create a new space or a personal space or who has ‘Admin’ permissions for space can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center.
We suggest you upgrade to the latest version.