Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-9069

Private document name leak in document index

    XMLWordPrintable

Details

    • security, access rights
    • Low
    • Hard
    • N/A
    • N/A

    Description

      The AllDocs page expose the names of all pages (including confidential pages) to all users (including unregistered users).

      XWiki should check that the current user has the "view" right for the returned pages.

      As a temporary workaround the AllDocs page should have the "view" right restricted to the XWikiAllGroup.

      Attachments

        Issue Links

          Activity

            People

              mleduc Manuel Leduc
              dirk@computer42.org H.-Dirk Schmitt
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: