-
Type:
Bug
-
Status: Closed
-
Resolution: Duplicate
-
Affects Version/s: 6.1.0 CE GA1
-
Fix Version/s: --Sprint 11/12, 6.2.0 CE M2
-
Component/s: Accessibility, Security Vulnerability
-
Labels:
-
Fix Priority:3
As an unauthenticated user it is possible to retrieve the names and email adresses of all Liferay users
To retrieve a list of all users simply issue the following request
Getting to the email adresses is a bit more involved, because these are not included in the response. But it is still possible to get to them by utilizing wildcard searches. The following request will return all users who's email address start with a "b"
http://localhost:8080/c/search/open_search?p=1&c=5000&keywords=emailAddress:b*
By adding a letter at a time to the emailAddress parameter its possible to eventually get someone's full email address
- duplicates
-
LPS-25877 Search portlet returns results that should not appear
- Closed