Intigriti Integration updated an issue

XWiki Platform / XWIKI-20371 Solr search disclosed email addresses of users Change By: Intigriti Integration *SUBMISSION REFERENCES* * *Submission code*: XWIKI-0KMN1DIA * *Submission URL*: https://www.intigriti.com/auth/dashboard?redirect=/submissions/e95a7ad5-7029-4627-abf0-3e3e3ea0b4ce/XWIKI-0KMN1DIA *RESEARCHER INFORMATION* * *Submitter*: ynoof *SUBMISSION INFORMATION* * *Created at*: Mon, 14 Nov 2022 14:51:34 GMT * *Submission status*: Accepted Archived *REPORT CONTENT* * *Severity*: Medium (5.3) * *Domain*: https://intigriti.xwiki.com/ (Url) * *Proof of concept*: Hello, As mentioned in the wiki program the User profile data are not confidential except `email addresses` and passwords, I can view any email address for any user on the wiki. ### Steps to reproduce 1. Go to the following endpoint: https://intigriti.xwiki.com/xwiki/bin/view/Main/SolrSearch 2. Put the username in the search box, and you will see all emails that the user has. ### POC {542852} {354365} {882795} Thanks, Ynoof * *Impact*: Security issue leads the attacker to view any user's email. * *Personal data involved*: No * *Endpoint*: https://intigriti.xwiki.com/xwiki/bin/view/Main/SolrSearch * *Type*: Security Misconfiguration (Generic) * *Attachments*: poc1.png, poc2.png, poc3.png Add Comment

This message was sent by Atlassian Jira (v9.3.0#930000-sha1:287aeb6)