How to restrict seeing the system.user entity data from x-path injection
When scanning an app on x-path Injection vulnerabilities, it was found that system.user password and hash value is readable for the user and need to hide that value from being viewed via xpath. But the problem is that we can not update anything in system module. On the other hand we have Administration.Account entity which is a generalization of Syste.User entity. Through x-path read from this Account entity we are again able to view the system.user entity password and hashed value. I have added x-path constraint on this entity but still not able to restrict it from accessing data from Syste.user entity. Any idea how can we restrict from accessing the logged in user’s password and other details from x-path retrieval.