In some circumstances an attacker may be able to craft a request to a Confluence server that bypasses the additional layer of security added by the new Secure Administrator Sessions feature introduced in Confluence 3.3.

This would allow an attacker to perform administrative functions on Confluence using a hijacked session without having to re-authenticate.

This issue is rated HIGH. Please refer to http://confluence.atlassian.com/x/VgozDQ for information on other security related issue and more information on how we rate issues.