Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04ZzljLWM5Y20tOWM1Ns4AAz9q
XWiki Platform may show email addresses in clear in REST results
Impact
Any user can call a REST endpoint and obtain the obfuscated passwords (even when the mail obfuscation is activated).
For instance, by calling http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/XWiki/pages/U1/objects/XWiki.XWikiUsers/0 when user U1 exists on wiki xwiki.
Patches
The issue has been patched on XWiki 14.4.8, 14.10.6, and 15.1
Workarounds
There is no known workaround. It is advised to upgrade to one of the patched versions.
References
- https://jira.xwiki.org/browse/XWIKI-16138
- https://github.com/xwiki/xwiki-platform/commit/824cd742ecf5439971247da11bfe7e0ad2b10ede
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04ZzljLWM5Y20tOWM1Ns4AAz9q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-8g9c-c9cm-9c56, CVE-2023-35151
References:
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8g9c-c9cm-9c56
- https://github.com/xwiki/xwiki-platform/commit/824cd742ecf5439971247da11bfe7e0ad2b10ede
- https://jira.xwiki.org/browse/XWIKI-16138
- https://nvd.nist.gov/vuln/detail/CVE-2023-35151
- https://github.com/advisories/GHSA-8g9c-c9cm-9c56
Blast Radius: 1.0
Affected Packages
maven:org.xwiki.platform:xwiki-platform-rest-server
Affected Version Ranges: >= 15.0-rc-1, < 15.1, >= 14.5, < 14.10.6, >= 7.3-milestone-1, < 14.4.8Fixed in: 15.1, 14.10.6, 14.4.8