Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-22471

No warning when granting XWiki.Notifications.Code.NotificationEmailRendererClass admin right

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      1. As a user without script right, create an object of type XWiki.Notifications.Code.NotificationEmailRendererClass on any document. Don't put any Velocity code in any of the properties.
      2. As a user with admin right, edit the document.

      Expected result:

      A warning is displayed as editing grants the object admin right which is required for it to be active.

      Actual result:

      No warning is displayed. It is not clear to me if this has any truly negative security consequences apart from email templates being overridden. However, this could be used to, e.g., send misleading/spam email content to users and to hide real notifications about malicious activities.

      Attachments

        Issue Links

          links to

          Web Link Security Advisory

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: