CVE-2023-29203

2023-04-1516:15:07

CWE-359

CWE-668

[email protected]

web.nvd.nist.gov

cve-2023-29203

xwiki commons

user disclosure

security patch

nvd

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.1 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

33.0%

JSON

XWiki Commons are technical libraries common to several other top level XWiki projects. It’s possible to list some users who are normally not viewable from subwiki by requesting users on a subwiki which allows only global users with uorgsuggest.vm. This issue only concerns hidden users from main wiki. Note that the disclosed information are the username and the first and last name of users, no other information is leaked. The problem has been patched on XWiki 13.10.8, 14.4.3 and 14.7RC1.

Affected configurations

Vulners

NVD

Node

xwikixwikiRange13.9-rc-1–13.10.8

xwikixwikiRange14.0-rc-1–14.4.3

xwikixwikiRange14.5–14.7-rc-1

VendorProductVersionCPE
xwikixwiki*cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
xwikixwiki*cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
xwikixwiki*cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
xwiki	xwiki	*	cpe:2.3:a:xwiki:xwiki::::::::
xwiki	xwiki	*	cpe:2.3:a:xwiki:xwiki::::::::
xwiki	xwiki	*	cpe:2.3:a:xwiki:xwiki::::::::

CNA Affected

[
  {
    "vendor": "xwiki",
    "product": "xwiki-platform",
    "versions": [
      {
        "version": ">= 13.9-rc-1, < 13.10.8",
        "status": "affected"
      },
      {
        "version": ">= 14.0-rc-1, < 14.4.3",
        "status": "affected"
      },
      {
        "version": ">= 14.5, < 14.7-rc-1",
        "status": "affected"
      }
    ]
  }
]