-
Bug
-
Resolution: Won't Fix
-
Low
-
None
-
None
-
None
NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.
cert.fr@cassidian.com reported the following vulnerability:
=== Vulnerability 1 ===
== Type ==
Information Disclosure
== Product ==
Atlassian Confluence
== Severity ==
Medium
== Description ==
Some fields in Confluence have an auto-completion feature for usernames or groups. The pages used to perform this auto-completion allow to disclose all the usernames and groups of the application, without any restriction.
Vulnerable pages are:
- /confluence/users/userpicker.action
- /confluence/spaces/dosearchgroupsnopermissions.action
- is duplicated by
-
CONFSERVER-23985 Do not show registered users in quick search to anonymous users
- Closed
- relates to
-
CONFCLOUD-26917 User name disclosure through auto-completion
- Closed