Ajax script for friend search pagination reveals user information

Reported by Richard Mansfield on 2011-04-28
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Richard Mansfield
1.2
High
Richard Mansfield
1.3
High
Richard Mansfield

Bug Description

The script json/friendsearch.php, used for pagination & search on the find friends and my friends pages, should only return html, but gives out more user information than it should, such as email addresses.

CVE References

visibility: private → public
Changed in mahara:
status: In Progress → Fix Committed
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers