Don't display personal information beyond what is necessary in "Edit access" Ajax response
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Unassigned | ||
18.10 |
Fix Released
|
High
|
Unassigned | ||
19.04 |
Fix Released
|
High
|
Unassigned | ||
19.10 |
Fix Released
|
High
|
Unassigned |
Bug Description
When you are on view/access.
1. Open the "Network" tab.
2. Click on acces.json.php.
3. Show the "Response" information.
Username and other personal information is disclosed that should not be displayed is shown and thus can mean that information about other people can be leaked.
When we compose a message in the inbox, that same sort of disclosure does not happen. So, sendmessage.
We should only disclose as much information in the "Response" as we do in the select menu, i.e. use the normal display name function as some people may not want to share their first and last name. Things will be different depending on their role.
CVE References
information type: | Private Security → Public Security |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
no longer affects: | mahara/20.04 |
It would be good to check the other places that use the Select2 name drop-down and double-check that they are safe.