Details
-
Bug
-
Resolution: Fixed
-
Highest
-
2.4.3, 2.7, 2.7.1
-
None
-
all
Description
If a user has at least view permissions on a space they can purge any page in that space using the URL:
/pages/purgetrashitem.action?key=&contentId=
and the right contentId and space key.
A purge can be performed even if the page has not been marked for deletion.
This issue has been replicated and verified by the Confluence support team:
https://support.atlassian.com/browse/CSP-16133
This is a critical security hole and should be fixed ASAP.
Attachments
Issue Links
- was cloned as
-
CONFSERVER-11149 XSS vulnerability in browseusers.vm
- Closed