Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Blocker
Fix Version/s: 14.2, 13.10.4
Affects Version/s: 1.1.1
Component/s: Old Core
Labels:

Development Priority:
High
Difficulty:
Unknown
Documentation:
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8h89-34w2-jpfm
Documentation in Release Notes:
N/A
Similar issues:

Description

Steps to reproduce:

Make the wiki fully closed, i.e., check "Prevent unregistered users from viewing pages, regardless of the page rights" and the similar checkbox for editing in the rights administration.
Go to <server>/xwiki/bin/login/Main/?xpage=view

Expected result:

You are redirected to login.

Actual result:

The page including title and content are displayed.

Note that this applies to any page but no sheets are applied. This also works with xpage=preview and xpage=print.

This issue most likely affects all versions of XWiki, I was able to reproduce on XWiki Enterprise 1.1.1, the oldest version that has a demo package available.

Attachments

Issue Links

causes

XWIKI-19576 XWikiPreferences vanish on newly created subwikis

Closed

XWIKI-21553 Document overwrite from edit through Rights UI

Closed

is duplicated by

XWIKI-18602 Dataleak on fully-private Wiki on Delete page

Closed

links to

GitHub Security advisory

Activity

People

Assignee:: Michael Hamann

Reporter:: Michael Hamann

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 22/Mar/22 14:28

Updated:: 21/Nov/23 18:20

Resolved:: 25/Mar/22 13:29