Lucene search

GoogleOSV:GHSA-8G9C-C9CM-9C56

HistoryJun 20, 2023 - 4:46 p.m.

XWiki Platform may show email addresses in clear in REST results

2023-06-2016:46:29

Google

osv.dev

xwiki

platform

rest

security

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

48.3%

JSON

Impact

Any user can call a REST endpoint and obtain the obfuscated passwords (even when the mail obfuscation is activated).

For instance, by calling http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/XWiki/pages/U1/objects/XWiki.XWikiUsers/0 when user U1 exists on wiki xwiki.

Patches

The issue has been patched on XWiki 14.4.8, 14.10.6, and 15.1

Workarounds

There is no known workaround. It is advised to upgrade to one of the patched versions.

References

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

References

github.com/xwiki/xwiki-platform

github.com/xwiki/xwiki-platform/commit/824cd742ecf5439971247da11bfe7e0ad2b10ede

github.com/xwiki/xwiki-platform/security/advisories/GHSA-8g9c-c9cm-9c56

jira.xwiki.org/browse/XWIKI-16138

nvd.nist.gov/vuln/detail/CVE-2023-35151

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

48.3%

JSON

Related for OSV:GHSA-8G9C-C9CM-9C56