Retrieve email addresses of all users

SUBMISSION REFERENCES

• Submission code: XWIKI-7B910O3J
• Submission URL: https://www.intigriti.com/auth/dashboard?redirect=/submissions/e95a7ad5-7029-4627-abf0-3e3e3ea0b4ce/XWIKI-7B910O3J

RESEARCHER INFORMATION

• Submitter: floerer

SUBMISSION INFORMATION

• Created at: Thu, 03 Nov 2022 07:48:27 GMT
• Submission status: Archived

REPORT CONTENT

• Severity: High (7.5)
• Domain: https://intigriti.xwiki.com/ (Url)
• Proof of concept: According to the out-of-scope section all the user data is public except for the email and password, however it is possible to retrieve the email address of other users.

*Steps to reproduce*
1. Go to https://intigriti.xwiki.com/xwiki/bin/get/XWiki/UserDirectoryLivetableResults?outputSyntax=plain&transprefix=xe.userdirectory.&classname=XWiki.XWikiUsers&collist=_avatar%2Cdoc.name%2Cfirst_name%2Clast_name%2Cemail%2Cactive&queryFilters=currentlanguage%2Chidden&&hideDisabledProfiles=true&offset=1&limit=10&reqNo=1&sort=doc.name&dir=asc
2. Now you will see the list of users, you can search for `floerer@intigriti.me` and see that my email address is there, only the short version `f....@intigriti.me` is shown in the frontend but via the endpoint the full address can be retrieved

• Impact: Retrieve full email addresses of all the users on the platform.
• Personal data involved: No
• Endpoint: https://intigriti.xwiki.com/xwiki/bin/get/XWiki/UserDirectoryLivetableResults?outputSyntax=plain&transprefix=xe.userdirectory.&classname=XWiki.XWikiUsers&collist=_avatar%2Cdoc.name%2Cfirst_name%2Clast_name%2Cemail%2Cactive&queryFilters=currentlanguage%2Chidden&&hideDisabledProfiles=true&offset=1&limit=10&reqNo=1&sort=doc.name&dir=asc
• Type: Improper Access Control
• Attachments: No attachments available