Intigriti - Hack Hub
  • Misconfig Mapper Docs
    • Introduction
    • Supported Services
    • CLI Tool
    • Contributing
  • Services
    • GraphQL
      • GraphQL Introspection Query Enabled
    • Symfony PHP
      • Symfony Profiler Enabled
    • Postman API Platform
      • Public Workspaces
    • Salesforce
      • Salesforce Lightning Aura Components Enabled
    • Trello
      • View Permissions on Trello Boards
    • Figma
      • View access misconfiguration
    • Freshworks Freshservice
      • Open User Registration
    • Slack
      • No Admin Approval for Invitations
    • Atlassian Bitbucket
      • Publicly Accessible Private Repositories
    • Atlassian Confluence
      • Anonymous access to Remote API
      • Disabled XSRF Protection
      • User Email Visibility
      • Misconfigured Spaces
    • Atlassian Jira
      • Open User Registration
      • Atlassian Jira Email Visibility
      • Atlassian Jira Service Desk Open Signups
    • AWS S3
      • Misconfigured List Permissions
    • Cloudflare R2
      • R2.DEV Enabled
    • Google Groups
      • Misconfigured read permissions
    • Google Docs
      • Misconfigured read permissions
    • Google Cloud Storage Bucket
      • Misconfigured access controls
    • Google OAuth
      • Unrestricted email domains
    • Jenkins
      • Open Signups
      • Public Groovy Script Console
    • GitLab
      • Gitlab Private Source Code Snippets Exposed
    • Drupal
      • Drupal Nodes with Misconfigured Access Controls
    • Laravel
      • Debug Mode Enabled
      • Laravel Telescope Enabled In Production
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Services
  2. Atlassian Confluence

User Email Visibility

PreviousDisabled XSRF ProtectionNextMisconfigured Spaces

Last updated 12 months ago

Was this helpful?

Description:

Older versions of Atlassian Confluence provide 3 options to configure email address privacy: Public, Masked and Only visible to site administrators. It is recommended to set the email address visibility to Only visible to site administrators to maintain email privacy of existing users.

Setting email visibility to "Only visible to site administrators" means that emails won't be visible in User Search popups as well.

Testing:

There is no specific testing procedure for this misconfiguration. Email addresses are visible next to the user's name on posts for example.

Remediation:

To configure the visibility policy of user emails on older versions of Atlassian Confluence:

  1. Navigate to your Confluence instance and sign in

  2. Open your Administrator Settings by clicking on the gear icon next to your profile picture

  3. In your side navigation bar, scroll down to Security and open Security Configurations

  4. Click on Edit to make the fields editable

  5. Select Only visible to site administrators from the User email visibility dropdown.

  6. Save your changes

Latest versions of Confluence don't allow the Administrator to enforce email visibility settings. Instead, each individual user can now do so through his/her personal Atlassian ID portal.

  1. Next, scroll down to the Contact section

  2. And under Who can see this? next to your email-address, select Only you and admins

  3. Your changes will be saved automatically

Potential Impact:

If user email visibility is set to Public, existing user's email addresses will be displayed publicly to anyone. This may not impose a direct security risk to an organization or company but could potentially help in further exploitation and in information gathering.

References:

Navigate to your Atlassian Account and go to your Profile and visibility:

https://id.atlassian.com/manage-profile/profile-and-visibility
https://confluence.atlassian.com/doc/user-email-visibility-138596.html
Learn more.