[CONFSERVER-30887] doremovespacemail action can be called by non-admins

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 5.4.1
Affects Version/s: 5.2.3
Component/s: Server - Mail Archiving
Labels:
Environment:

Confluence version 5.2.3 (standalone)
Running on Ubuntu Server 12.04.

CVSS Score:
4
Bug Fix Policy:
View Atlassian Server bug fix policy

The doremovespacemail action is provided by the confluence-mail-archiving plugin, and allows all of the archived mail associated with a space to be removed. This action can be called by any authenticated user, which appears to be an oversight in access control, given that similar methods (such as doremovemail) firstly check that the caller has REMOVE_MAIL_PERMISSION permission.

This could allow a malicious Confluence user who only has view access to a particular space to remove all of the archived mail from that space.

mentioned in: Page Loading...; Wiki Page Failed to load

No work has yet been logged on this issue.

Assignee:: Petro Semeniuk (Inactive)

Reporter:: Richard Turnbull

Affected customers:: 0 This affects my team

Watchers:: 6 Start watching this issue

Created:: 20/Sep/2013 5:08 PM

Updated:: 11/Oct/2018 8:43 AM

Resolved:: 02/Dec/2013 10:40 PM

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates