Описание
XWiki Full Calendar Macro vulnerable to data leak through Calendar.JSONService
Impact
Anyone who has view rights on the Calendar.JSONService page, including guest users can exploit this vulnerability by accessing database info, with the exception of passwords.
Workarounds
Remove the Calendar.JSONService page. This will however break some functionalities.
References
Jira issue:
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
Пакеты
org.xwiki.contrib:macro-fullcalendar-pom
<= 2.4.5
2.4.6
Связанные уязвимости
XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6.
Уязвимость расширения Full Calendar Macro платформы создания совместных веб-приложений XWiki, связанная с недостаточной защитой служебных данных, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации