Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-19948

Password hash might be leaked by diff once the xobject holding them is deleted

    XMLWordPrintable

Details

    • Unknown
    • N/A

    Description

      Reproduction steps:

      • Create a user
      • With Admin account, go to the user page in object editor, remove the user xobject and save
      • Perform a diff between last version and previous one

      Expected result:

      • the password is obfuscated in the diff

      Obtained result:

      • the password value is displayed (should be a hash)

      See attached screenshot.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-9017 Possibility to see passwords hash in document history

          • Major - Major loss of function.
          • Closed
          relates to

          New Feature - A new feature of the product, which has yet to be developed. XWIKI-21393 Allow admins to reset user passwords in batch

          • Major - Major loss of function.
          • Open

          Activity

            People

              surli Simon Urli
              surli Simon Urli
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: