Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 5.3.4
Affects Version/s: 5.2
Component/s: None
Labels:
- NCC
- affects-server
- cvss-medium
- editor
- loyalty
- plugin
- plugins
- security
- user-lister
Environment:

Confluence version 5.2.3 (standalone) on Ubuntu

CVSS Score:
5
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Confluence allows an administrator to configure the groups which will not be allowed for member listing by the userlister macro. The doconfigure action that implements this functionality is vulnerable to cross-site request forgery (XSRF). An attacker who exploited this vulnerability could cause the group black-list to be cleared.

A GET request to the following location (as an elevated administrator) is enough to invoke this action:

/admin/userlister/doconfigure.action?blackListEntries=confluence-administrators&save=Save

If the blackListEntries parameter value is removed, the user lister group black list is removed completely.

Attachments

Issue Links

is duplicated by: USERLISTER-28 Loading...

mentioned in: Page Loading...; Wiki Page Loading...

Activity

People

Assignee:: PatrickA

Reporter:: Phillip Langlois

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 01/Oct/2013 11:04 AM

Updated:: 11/Oct/2018 8:52 AM

Resolved:: 12/Nov/2013 2:34 AM