User name disclosure through auto-completion

XMLWordPrintable

      NOTE: This bug report is for Confluence Cloud. Using Confluence Server? See the corresponding bug report.

      cert.fr@cassidian.com reported the following vulnerability:

      === Vulnerability 1 ===
      == Type ==
      Information Disclosure

      == Product ==
      Atlassian Confluence

      == Severity ==
      Medium

      == Description ==
      Some fields in Confluence have an auto-completion feature for usernames or groups. The pages used to perform this auto-completion allow to disclose all the usernames and groups of the application, without any restriction.
      Vulnerable pages are:

      • /confluence/users/userpicker.action
      • /confluence/spaces/dosearchgroupsnopermissions.action

            Assignee:
            Unassigned
            Reporter:
            David Black
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: