Confluence allows an administrator to configure the groups which will not be allowed for member listing by the userlister macro. The doconfigure action that implements this functionality is vulnerable to cross-site request forgery (XSRF). An attacker who exploited this vulnerability could cause the group black-list to be cleared.

A GET request to the following location (as an elevated administrator) is enough to invoke this action:

/admin/userlister/doconfigure.action?blackListEntries=confluence-administrators&save=Save

If the blackListEntries parameter value is removed, the user lister group black list is removed completely.