Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
11.8-rc-1
-
Unit
-
Unknown
-
N/A
-
N/A
-
Awaiting Committer feedback
-
Description
Mail.MailConfig is expected to be editable by admins only as it contains some configurations (e.g., the obfuscation of mails). But currently, there is no restrictions and it can be edited by any user with edit rights.
Mail.SendMailConfigClass in Mail.MailConfig can also be edited in the same way, allowing any user to redirect send mail to a rogue smtp server, allowing the received all emitted mails.
Attachments
Issue Links
- is related to
-
XWIKI-20671 Objects of Mail.MailConfig can be edited by any user with edit rights
- Closed
- relates to
-
XWIKI-15196 SMTP settings used for each new wiki not inherited from xwiki.properties
- Closed
- links to