'/users/userpicker.action' exposes users loginids and full names in instance with anonymous access enabled

2012-04-26T16:54:59
ID ATLASSIAN:CONF-25350
Type atlassian
Reporter gnedel
Modified 2017-02-17T05:23:50

Description

{quote} LDAP directory users and groups exposed via the /users/userpicker.action.

There should be an option to restrict this to authenticated users only and perhaps this should be the default behavior. {quote}

{quote} The second exposed function that is part of this vulnerability is /spaces/opengrouppicker.action which can be accessed by anonymous users for internal directory browsing. {quote}