Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-18602

Dataleak on fully-private Wiki on Delete page

    XMLWordPrintable

Details

    • High
    • Unknown

    Description

      Reproduction Steps:

      • Prevent guest user from being able to view any page through Global Administration Rights settings
      • Log out
      • Go to : <server>/bin/loginsubmit/?xpage=delete

      Result:

      • Page title, author complete name are shown
      • link containing its username is available in page source code
      • Number of children and number of backlinks of current page are also displayed

      Expected Result:

      • On a fully-private Wiki, this particular page should not be accessible and these informations should not be accessible

       

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-19549 Page content, object properties and title leak on fully private wiki with xpages on the login action

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          links to

          Web Link GitHub Security advisory

          Activity

            People

              MichaelHamann Michael Hamann
              gcoquard Guillaume COQUARD
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: