Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zNWZnLWhqY3ItajY1Zs0p1g
Information exposure in xwiki-platform
Impact
It's possible to guess if a user has an account on the wiki by using the "Forgot your password" form, even if the wiki is closed to guest users.
Patches
The problem has been patched on XWiki 12.10.9, 13.4.1 and 13.6RC1.
Workarounds
There's no easy workaround other than applying the upgrade.
References
https://jira.xwiki.org/browse/XWIKI-18787
For more information
If you have any questions or comments about this advisory:
- Open an issue in JIRA
- Email us at XWiki Security Mailing list
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zNWZnLWhqY3ItajY1Zs0p1g
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: about 1 year ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-35fg-hjcr-j65f, CVE-2022-23619
References:
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-35fg-hjcr-j65f
- https://github.com/xwiki/xwiki-platform/commit/d8a3cce48e0ac1a0f4a3cea7a19747382d9c9494
- https://jira.xwiki.org/browse/XWIKI-18787
- https://nvd.nist.gov/vuln/detail/CVE-2022-23619
- https://github.com/advisories/GHSA-35fg-hjcr-j65f
Blast Radius: 1.0
Affected Packages
maven:org.xwiki.platform:xwiki-platform-web
Affected Version Ranges: < 12.10.9, >= 13.0.0, < 13.4.1, >= 13.5RC1, <= 13.5Fixed in: 12.10.9, 13.4.1, 13.6RC1