7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
42.3%
The mail obfuscation configuration was not fully taken into account and while the mail displayed to the end user was obfuscated:
The consequence was the possibility to retrieve the email addresses of all users even when obfuscated.
See https://jira.xwiki.org/browse/XWIKI-20333 for the reproduction steps.
This has been patched in XWiki 14.10.4, XWiki 14.4.8, and XWiki 15.0-rc-1.
The workaround is to modify the page XWiki.LiveTableResultsMacros
following this patch.
https://jira.xwiki.org/browse/XWIKI-20333
If you have any questions or comments about this advisory:
This vulnerability has been reported on Intigriti by @floerer
github.com/advisories/GHSA-7vr7-cghh-ch63
github.com/xwiki/xwiki-platform/commit/71f889db9962df2d385f4298e29cfbc9050b828a#diff-5a739e5865b1f1ad9d79b724791be51b0095a0170cc078911c940478b13b949a
github.com/xwiki/xwiki-platform/security/advisories/GHSA-7vr7-cghh-ch63
jira.xwiki.org/browse/XWIKI-20333
nvd.nist.gov/vuln/detail/CVE-2023-34467