Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Solved By
Priority: Blocker
Fix Version/s: 12.10.11, 13.9-rc-1, 13.4.4
Affects Version/s: 12.10.8, 13.6-rc-1
Component/s: Web - Templates & Resources
Labels:

Development Priority:
High
Difficulty:
Unknown
Documentation:
N/A
Documentation in Release Notes:
N/A
Similar issues:

Description

An unauthenticated user can user information through a public accessible URL.

Reproducing steps:
Navigate to :

http://<server>/bin/login/XWikiLogin?xpage=getdeleteddocuments&limit=10000

Results:

getdeleteddocuments gives access to creator reference and fullname of every deleted documents and documents fullname and reference even if they are not accessible

Expected Results:

User fullname and documents fullname should not be accessible to anyone who don't have corresponding rights

Attachments

Issue Links

is related to

XWIKI-16544 Unauthenticated user can retrieve the list of users through getdocuments.vm

Closed

relates to

XWIKI-18849 Private user data are accessible through suggest.vm

Closed

XWIKI-16544 Unauthenticated user can retrieve the list of users through getdocuments.vm

Closed

XWIKI-18850 Unauthenticated user can retrieve the list of users through uorgsuggest.vm

Closed

Activity

People

Assignee:: Manuel Leduc

Reporter:: Guillaume COQUARD

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 22/Jul/21 18:35

Updated:: 07/Jul/22 16:13

Resolved:: 14/Mar/22 09:33

Date of First Response:: 10/Mar/22 5:31 PM