Details
-
Bug
-
Resolution: Fixed
-
Medium
-
3.5.13, 4.2
-
None
-
standalone
-
5
-
Description
When checking the application for security leaks, I found that the actions doeditpage, domovepage and docreatepage explicitly set the requireSecurityToken=false in the xwork.xml. This could be a possible leak in an attack scenario. Is there a reason, why these actions should not require the security token, perhaps incompatibilities,...?