CSRF in doremoveblogpost.action

2013-08-23T01:38:37
ID ATLASSIAN:CONFCLOUD-54163
Type atlassian
Reporter djohnson@atlassian.com
Modified 2017-04-02T05:39:27

Description

Any page can be deleted if a user with sufficient privileges to delete the page clicks an attacker controlled link, or views an image at an attack controller URL.

/pages/doremoveblogpost.action?pageId=<page to delete>