Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-25350

'/users/userpicker.action' exposes users loginids and full names in instance with anonymous access enabled

    XMLWordPrintable

Details

    Description

      LDAP directory users and groups exposed via the /users/userpicker.action.

      There should be an option to restrict this to authenticated users only and perhaps this should be the default behavior.

      The second exposed function that is part of this vulnerability is /spaces/opengrouppicker.action which can be accessed by anonymous users for internal directory browsing.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. CONFSERVER-25322 The vulnerability exists in the standalone and also in the online demonstration enviroment.

          • Highest - Our top priority issues
          • Closed

          Activity

            People

              jxie Chii
              gnedel Guilherme Nedel (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: