[ https://issues.apache.org/jira/browse/SLING-10147?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eric Norman updated SLING-10147: -------------------------------- Fix Version/s: Scripting Core 2.3.6 > scripting variables implementation details are exposed to not authorized users > ------------------------------------------------------------------------------ > > Key: SLING-10147 > URL: https://issues.apache.org/jira/browse/SLING-10147 > Project: Sling > Issue Type: Bug > Reporter: Eric Norman > Priority: Major > Fix For: Scripting Core 2.3.6 > > > The ".SLING_availablebindings.json" selector is registered at > /apps/sling/servlet/default and the usage on all resources is not protected > by any security checks. The information returned contains implementation > details that a regular user should not need to know and could be considered > an "information disclosure" vulnerability. > Since this selector appears to only be used by the "Scripting Variables" > webconsole plugin, I would expect that it should require the same security > checking that would be needed to access the webconsole. > -- This message was sent by Atlassian Jira (v8.3.4#803005)