Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03ZjJmLXBjdjMtajJyN84AAz9n
XWiki Platform's tags on non-viewable pages can be revealed to users
Impact
Tags from pages not viewable to the current user are leaked by the tags API.
This information can also be exploited to infer the document reference of non-viewable pages.
Patches
This vulnerability has been patched in XWiki 14.4.8, 14.10.4, and 15.0 RC1.
Workarounds
There is no workaround apart from upgrading to a fixed version.
References
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03ZjJmLXBjdjMtajJyN84AAz9n
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 months ago
Updated: 6 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-7f2f-pcv3-j2r7, CVE-2023-34466
References:
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7f2f-pcv3-j2r7
- https://jira.xwiki.org/browse/XWIKI-20002
- https://nvd.nist.gov/vuln/detail/CVE-2023-34466
- https://github.com/advisories/GHSA-7f2f-pcv3-j2r7
Blast Radius: 1.0
Affected Packages
maven:org.xwiki.platform:xwiki-platform-tag-api
Affected Version Ranges: >= 14.5, < 14.10.4, >= 5.0-milestone-1, < 14.4.8Fixed in: 14.10.4, 14.4.8