How to restrict seeing the system.user entity data from x-path injection

When scanning an app on x-path Injection vulnerabilities, it was found that system.user password and hash value is readable for the user and need to hide that value from being viewed via xpath. But the problem is that we can not update anything in system module.   On the other hand we have Administration.Account entity which is a generalization of Syste.User entity. Through x-path read from this Account entity we are again able to view the system.user entity password and hashed value. I have added x-path constraint on this entity but still not able to restrict it from accessing data from Syste.user entity.     Any idea how can we restrict from accessing the logged in user’s password and other details from x-path retrieval.
1 answers

You need to upgrade to Mx8.18.2 or higher to have this fixed. See the release notes here:

  • We updated access rules for the user’s password attribute to prevent access to its hashed value.