Details
-
Bug
-
Resolution: Fixed
-
Major
-
15.9-rc-1
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
- As a user without script right, create an object of type XWiki.Notifications.Code.NotificationEmailRendererClass on any document. Don't put any Velocity code in any of the properties.
- As a user with admin right, edit the document.
Expected result:
A warning is displayed as editing grants the object admin right which is required for it to be active.
Actual result:
No warning is displayed. It is not clear to me if this has any truly negative security consequences apart from email templates being overridden. However, this could be used to, e.g., send misleading/spam email content to users and to hide real notifications about malicious activities.
Attachments
Issue Links
- links to