Details
-
Type:
Bug
-
Status: Closed (View Workflow)
-
Priority:
Highest
-
Resolution: Fixed
-
Affects Version/s: 2.4.3, 2.7, 2.7.1
-
Fix Version/s: 2.7.2
-
Component/s: None
-
Labels:
-
Environment:
all
-
Bug Fix Policy:
Description
If a user has at least view permissions on a space they can purge any page in that space using the URL:
/pages/purgetrashitem.action?key=&contentId=
and the right contentId and space key.
A purge can be performed even if the page has not been marked for deletion.
This issue has been replicated and verified by the Confluence support team:
https://support.atlassian.com/browse/CSP-16133
This is a critical security hole and should be fixed ASAP.
Attachments
Issue Links
- was cloned as
-
CONFSERVER-11149 XSS vulnerability in browseusers.vm
-
- Closed
-