CVE-2023-29203 Unauthenticated user can have information about hidden users on subwikis through uorgsuggest.vm

2023-04-1515:17:46

CWE-359

GitHub_M

www.cve.org

cve-2023-29203

unauthenticated user

info disclosure

xwiki commons

subwiki

uorgsuggest.vm

hidden users

xwiki 13.10.8

xwiki 14.4.3

xwiki 14.7rc1

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

32.7%

JSON

XWiki Commons are technical libraries common to several other top level XWiki projects. It’s possible to list some users who are normally not viewable from subwiki by requesting users on a subwiki which allows only global users with uorgsuggest.vm. This issue only concerns hidden users from main wiki. Note that the disclosed information are the username and the first and last name of users, no other information is leaked. The problem has been patched on XWiki 13.10.8, 14.4.3 and 14.7RC1.

CNA Affected

[
  {
    "vendor": "xwiki",
    "product": "xwiki-platform",
    "versions": [
      {
        "version": ">= 13.9-rc-1, < 13.10.8",
        "status": "affected"
      },
      {
        "version": ">= 14.0-rc-1, < 14.4.3",
        "status": "affected"
      },
      {
        "version": ">= 14.5, < 14.7-rc-1",
        "status": "affected"
      }
    ]
  }
]