[CONFSERVER-10807] Users with view permissions on a space are able to delete (purge) pages they don't have permission to edit/access - Create and track feature requests for Atlassian products.

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Highest
Resolution: Fixed
Affects Version/s: 2.4.3, 2.7, 2.7.1
Fix Version/s: 2.7.2
Component/s: None
Labels:
- affects-server
- security
Environment:

all

Bug Fix Policy:
View Atlassian Server bug fix policy

Description

If a user has at least view permissions on a space they can purge any page in that space using the URL:

/pages/purgetrashitem.action?key=&contentId=

and the right contentId and space key.

A purge can be performed even if the page has not been marked for deletion.

This issue has been replicated and verified by the Confluence support team:
https://support.atlassian.com/browse/CSP-16133

This is a critical security hole and should be fixed ASAP.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

Attachments

patch-2.5.x-2.6.x.zip
1 kB
06/Mar/2008 3:10 AM
PurgeTrashItemAction.class
3 kB
26/Feb/2008 5:55 AM

Issue Links

was cloned as

CONFSERVER-11149 XSS vulnerability in browseusers.vm

Closed

Activity

People

Assignee:: DaveA

Reporter:: Neeraj Jhanji

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 25/Feb/2008 6:05 AM

Updated:: 11/Oct/2018 8:58 AM

Resolved:: 04/Mar/2008 11:50 PM