[ https://issues.apache.org/jira/browse/SLING-10147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17292175#comment-17292175 ]
Carsten Ziegeler commented on SLING-10147: ------------------------------------------ But if the solution depends on FELIX-6390 then you need to have the latest version of the web console with that fix - or am I missing something? > scripting variables implementation details are exposed to not authorized users > ------------------------------------------------------------------------------ > > Key: SLING-10147 > URL: https://issues.apache.org/jira/browse/SLING-10147 > Project: Sling > Issue Type: Bug > Reporter: Eric Norman > Assignee: Eric Norman > Priority: Major > Fix For: Scripting Core 2.3.6 > > Time Spent: 4.5h > Remaining Estimate: 0h > > The ".SLING_availablebindings.json" selector is registered at > /apps/sling/servlet/default and the usage on all resources is not protected > by any security checks. The information returned contains implementation > details that a regular user should not need to know and could be considered > an "information disclosure" vulnerability. > Since this selector appears to only be used by the "Scripting Variables" > webconsole plugin, I would expect that it should require the same security > checking that would be needed to access the webconsole. > -- This message was sent by Atlassian Jira (v8.3.4#803005)