Bug
In the Portal self-page (Ex: https://test-org.esri.com/portal-WA/sharing/portals/self) there is an exposure vulnerability where the username of the owner of the group under the featured Groups is displayed.
| Bug ID Number | BUG-000093375 |
|---|---|
| Submitted | January 7, 2016 |
| Last Modified | February 15, 2023 |
| Severity | Medium |
| Applies to | Portal for ArcGIS |
| Version found | 10.3.1 |
| Operating System | N/A |
| Status | Will Not Be Addressed |
Additional Information
Portal is a social collaboration site and thus there is a lot of inter-user interaction. In order for a user to know who they are interacting with or what they are using, it is necessary to know who the person is or who owns the item. Portal is designed also for anonymous user usage, in fact that is quite common as organizations may not want to purchase tens of thousands of named users. It is also necessary for anonymous users to know whether they trust something or someone. As a result, the behavior described is designed into the software and is fundamental to its usage. It is possible to know who owns any group you have access to, not just featured items. In fact, if we changed it on the self-call, it is be possible to determine the owner of the group through another API. It is included in the self-call for performance/efficiency reasons and does not reduce the security.Workaround
Possible workaround is to remove all groups from the Featured Groups section in the Portal Groups section. As documented, create a new account. Promote it to administrator. Disable initial administrator account.Steps to Reproduce
Bug ID: BUG-000093375
Software:
- Portal for ArcGIS
Get help from ArcGIS experts
Download the Esri Support App
Discover more on this topic
Search for related information
Find training related to this topic
Explore ideas and give feedback