Uploaded image for project: 'FullCalendar Macro'
  1. FullCalendar Macro
  2. FULLCAL-82

Calendar.JSONService exposes emails of all users

    XMLWordPrintable

Details

    • Unknown

    Description

      Steps to reproduce:

      Open /xwiki/bin/get/Calendar/JSONService?classname=XWiki.XWikiUsers&startfield=password&extraFields=password,email,last_name&outputSyntax=plain.

      Expected result:

      The output doesn't contain any password hashes.

      Actual result:

      The output displays the password hashes of all users in the "description" field.

      Passing the email in the first field in the extra fields would also display the email even when obfuscation is disabled.

      The code for returning the values shouldn't use getValue but should instead use display and use the #unwrapXPropertyDisplay macro or copy its code in case it's not available in the used version of XWiki.

       

      GitHub advisory: https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-637h-ch24-xp9m

      Attachments

        Issue Links

          is caused by

          Improvement - An improvement or enhancement to an existing feature or task. FULLCAL-57 Make possible to add extra class fields calendar macro

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Sorin Sorin Chiuchiu
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: