9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
44.1%
Mail.MailConfig
can be edited by any logged-in user by default. Consequently, they can:
The problem has been patched on XWiki 14.4.8, 15.1, and 14.10.6.
The rights of the Mail.MailConfig
page can be manually updated so that only a set of trusted users can view, edit and delete it (e.g., the XWiki.XWikiAdminGroup
group).
On 14.4.8+, 15.1-rc-1+, or 14.10.5+, if at startup Mail.MailConfig
does not have any rights defined, view
, edit
and delete
rights are automatically granted to the XWiki.XWikiAdminGroup
group.
See the corresponding patch.
If you have any questions or comments about this advisory:
github.com/xwiki/xwiki-platform
github.com/xwiki/xwiki-platform/commit/8910b8857d3442d2e8142f655fdc0512930354d1
github.com/xwiki/xwiki-platform/commit/d28d7739089e1ae8961257d9da7135d1a01cb7d4
github.com/xwiki/xwiki-platform/security/advisories/GHSA-g75c-cjr6-39mc
jira.xwiki.org/browse/XWIKI-20519
jira.xwiki.org/browse/XWIKI-20671
nvd.nist.gov/vuln/detail/CVE-2023-34465