'viewuserSummary.action' is available to Anonymous users.

XMLWordPrintable

    • 1
    • Severity 3 - Minor
    • Hide

      Waiting for release

      Show
      Waiting for release

      Issue Summary

      https://bamboourl/users/viewUserSummary.action?currentUserName=<username>

      If anonymous access is enabled, the above URL can be accessed by users who are not logged in and can be used to guess if certain user names exist or not.

      Steps to Reproduce

      1. Turn on Anonymous Access
      2. Open Bamboo URL in Incognito Window
      3. Guess at usernames

      Expected Results

      If not logged on you should not be able to retrieve user information.

      Actual Results

      Anonymous users have access to usernames and email addresses of Bamboo users.

      Workaround

      Disable Anonymous Access.

      If AA is required by other business processes there is no workaround.

            Assignee:
            Wioletta Dys
            Reporter:
            Robert W (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: