Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-18849

Private user data are accessible through suggest.vm

    XMLWordPrintable

Details

    • Unit
    • High
    • Unknown
    • N/A

    Description

      Reproduction steps:

      • Go to:
        • http://<server>/bin/login/XWiki/XWikiLogin?xpage=suggest&classname=XWiki.XWikiUsers&templatename=&input=&fieldname=email

      Results:

      • suggets template let access email, password hash and about every user profile information

       

      Expected Results:

      • None of the previous informations should be accessible

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-18851 Unauthenticated user can retrieve user information through getdeleteddocuments.vm

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-16544 Unauthenticated user can retrieve the list of users through getdocuments.vm

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-18850 Unauthenticated user can retrieve the list of users through uorgsuggest.vm

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed
          links to

          Web Link GitHub Security advisory

          Activity

            People

              MichaelHamann Michael Hamann
              gcoquard Guillaume COQUARD
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: