*SUBMISSION REFERENCES* * *Submission code*: XWIKI-0KMN1DIA * *Submission URL*: https://www.intigriti.com/auth/dashboard?redirect=/submissions/e95a7ad5-7029-4627-abf0-3e3e3ea0b4ce/XWIKI-0KMN1DIA
*RESEARCHER INFORMATION* * *Submitter*: ynoof
*SUBMISSION INFORMATION* * *Created at*: Mon, 14 Nov 2022 14:51:34 GMT * *Submission status*: Archived
*REPORT CONTENT* * *Severity*: Medium (5.3) * *Domain*: https://intigriti.xwiki.com/ (Url) * *Proof of concept*: Hello,
As mentioned in the wiki program the User profile data are not confidential except `email addresses` and passwords, I can view any email address for any user on the wiki.
### Steps to reproduce 1. Go to the following endpoint:
https://intigriti.xwiki.com/xwiki/bin/view/Main/SolrSearch
2. Put the username in the search box, and you will see all emails that the user has.
### POC {542852}
{354365}
{882795}
Thanks, Ynoof * *Impact*: Security issue leads the attacker to view any user's email. * *Personal data involved*: No * *Endpoint*: https://intigriti.xwiki.com/xwiki/bin/view/Main/SolrSearch * *Type*: Security Misconfiguration (Generic) * *Attachments*: poc1 poc2 .png, poc2 poc3 .png, poc3 poc1 .png
|
|