-
Bug
-
Resolution: Won't Fix
-
Low
-
None
NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report.
cert.fr@cassidian.com reported the following vulnerability:
=== Vulnerability 1 ===
== Type ==
Information Disclosure
== Product ==
Atlassian Confluence
== Severity ==
Medium
== Description ==
Some fields in Confluence have an auto-completion feature for usernames or groups. The pages used to perform this auto-completion allow to disclose all the usernames and groups of the application, without any restriction.
Vulnerable pages are:
- /confluence/users/userpicker.action
- /confluence/spaces/dosearchgroupsnopermissions.action
- is duplicated by
-
AI-602 Do not show registered users in quick search to anonymous users
- Gathering Interest
- is related to
-
CONFSERVER-26917 User name disclosure through auto-completion
- Closed