Eric Norman created SLING-10147:
-----------------------------------
Summary: scripting variables implementation details are exposed to
not authorized users
Key: SLING-10147
URL: https://issues.apache.org/jira/browse/SLING-10147
Project: Sling
Issue Type: Bug
Reporter: Eric Norman
The ".SLING_availablebindings.json" selector is registered at
/apps/sling/servlet/default and the usage on all resources is not protected by
any security checks. The information returned contains implementation details
that a regular user should not need to know and could be considered an
"information disclosure" vulnerability.
Since this selector appears to only be used by the "Scripting Variables"
webconsole plugin, I would expect that it should require the same security
checking that would be needed to access the webconsole.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
