[XWIKI-22736] Title of inaccessible pages available through the class property values REST API - XWiki.org JIRA

Details

Type: Bug
Resolution: Fixed
Priority: Blocker
Fix Version/s: 16.10.3, 17.0.0, 16.4.7
Affects Version/s: 10.9
Component/s: REST
Labels:

Tests:

Unit
Difficulty:
Unknown
Documentation:
N/A
Documentation in Release Notes:
N/A
Similar issues:

Description

Steps to reproduce:

Create a page named "Page.WebHome" with title "Secret Title".
Restrict view right on this page to admins.
As user without admin right (just view right on generic pages, could be guest), open /xwiki/rest/wikis/xwiki/classes/XWiki.ClassSheetBinding/properties/sheet/values?fp=Page.WebHome&exactMatch=true on your XWiki instance.

Expected result:

The title "Secret Title" of the page isn't included in the response.

Actual result:

The response includes the full title "Secret Title" of the page, despite the user not having view right on the page.

Note that there is nothing special about the "XWiki.ClassSheetBinding" class that is exploited here, this works with any class having a page property.

I reproduced this vulnerability both on a recent development snapshot and on XWiki 10.9 as some of the code that I suspect to be responsible for this has been introduced in ~~XWIKI-15605~~. I didn't check on older versions.

Attachments

Issue Links

links to

Security Advisory

Activity

People

Assignee:: Michael Hamann

Reporter:: Michael Hamann

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 17/Dec/24 14:58

Updated:: 12/Jun/25 09:32

Resolved:: 22/Jan/25 18:28