Description

By accessing the endpoint /secure/popups/UserPickerBrowser.jspa?max=10, an unauthenticated attack can retrieve the Jira's users.

Remediation

Consider restricting unauthenticated access to this endpoint.

References

Control anonymous user access

Related Vulnerabilities

phpMyAdmin Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2015-6830)

Adobe ColdFusion directory traversal

WordPress Plugin Cimy User Manager 'cimy_um_filename' Parameter Arbitrary File Disclosure (1.4.2)

Frontpage authors.pwd available

WordPress Plugin Contact Form Email Information Disclosure (1.2.66)

Severity

Low

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure