Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Minor
Fix Version/s: 12.10.11, 13.9-rc-1, 13.4.4
Affects Version/s: 12.10.8, 13.6-rc-1
Component/s: Web - Templates & Resources
Labels:

Tests:

Unit
Difficulty:
Unknown
Documentation:
N/A
Documentation in Release Notes:
N/A
Pull Request Status:
Pull Request accepted
Similar issues:

Description

An unauthenticated user can retrieve a list of users and their fullname through a public accessible URL.

Reproducing steps:
Navigate to :

http://<server>/bin/login/XWikiLogin?xpage=uorgsuggest&uorg=user&wiki=&media=json

Results:

uorgsuggest gives access to user fullname and reference even if the wiki is private

Expected Results:

User fullname and documents fullname should not be accessible to anyone who don't have corresponding rights

Attachments

Issue Links

is related to

XWIKI-18851 Unauthenticated user can retrieve user information through getdeleteddocuments.vm

Closed

XWIKI-16544 Unauthenticated user can retrieve the list of users through getdocuments.vm

Closed

relates to

XWIKI-18849 Private user data are accessible through suggest.vm

Closed

XWIKI-20007 When sharing a page from a subwiki, global users with restricted access get suggested

Closed

links to

GHSA-97jg-43c9-q6pf

Activity

People

Assignee:: Manuel Leduc

Reporter:: Guillaume COQUARD

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 22/Jul/21 18:29

Updated:: 26/Jul/22 09:36

Resolved:: 13/Oct/21 15:19

Date of First Response:: 28/Sep/21 11:30 AM