Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 5.4.1
Affects Version/s: 5.2.3
Component/s: Server - Mail Archiving
Labels:
Environment:

Confluence version 5.2.3 (standalone)
Running on Ubuntu Server 12.04.

CVSS Score:
4
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

The doremovespacemail action is provided by the confluence-mail-archiving plugin, and allows all of the archived mail associated with a space to be removed. This action can be called by any authenticated user, which appears to be an oversight in access control, given that similar methods (such as doremovemail) firstly check that the caller has REMOVE_MAIL_PERMISSION permission.

This could allow a malicious Confluence user who only has view access to a particular space to remove all of the archived mail from that space.

Attachments

Issue Links

mentioned in: Page Loading...; Wiki Page Loading...

Activity

People

Assignee:: Petro Semeniuk (Inactive)

Reporter:: Richard Turnbull

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 20/Sep/2013 5:08 PM

Updated:: 11/Oct/2018 8:43 AM

Resolved:: 02/Dec/2013 10:40 PM