Lucene search

[email protected]NVD:CVE-2023-34467

HistoryJun 23, 2023 - 5:15 p.m.

CVE-2023-34467

2023-06-2317:15:09

CWE-402

CWE-668

[email protected]

web.nvd.nist.gov

xwiki platform

mail obfuscation

security patch

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

42.3%

JSON

XWiki Platform is a generic wiki platform. Starting in version 3.5-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, the mail obfuscation configuration was not fully taken into account. While the mail displayed to the end user was obfuscated, the rest response was also containing the mail unobfuscated and users were able to filter and sort on the unobfuscated, allowing them to infer the mail content. The consequence was the possibility to retrieve the email addresses of all users even when obfuscated. This has been patched in XWiki 14.4.8, 14.10.4, and 15.0-rc-1.

Affected configurations

NVD

Node

xwikixwikiRange3.5.1–14.4.8

xwikixwikiRange14.10–14.10.4

xwikixwikiMatch3.5milestone1

References

github.com/xwiki/xwiki-platform/commit/71f889db9962df2d385f4298e29cfbc9050b828a#diff-5a739e5865b1f1ad9d79b724791be51b0095a0170cc078911c940478b13b949a

github.com/xwiki/xwiki-platform/security/advisories/GHSA-7vr7-cghh-ch63

jira.xwiki.org/browse/XWIKI-20333

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

42.3%

JSON

Related for NVD:CVE-2023-34467

cve1 prion1 osv2 cvelist1 github1