Group member search json script reveals user information

Bug #772174 reported by Richard Mansfield
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Richard Mansfield
1.3
Fix Released
High
Richard Mansfield

Bug Description

The script group/membersearchresults.php, should only return a list of user ids and names, but gives out more user information than it should, such as email addresses. Similar to bug #772160.

Only affects 1.3+. In previous versions the script was not used for the userlist pieform element & only returned html.

CVE References

Revision history for this message
Richard Mansfield (richard-mansfield) wrote :
visibility: private → public
Changed in mahara:
status: In Progress → Fix Committed
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.