Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1nNzVjLWNqcjYtMzltY84AAz9m

XWiki Platform's Mail.MailConfig can be edited by any user with edit rights

Impact

Mail.MailConfig can be edited by any logged-in user by default. Consequently, they can:

change the mail obfuscation configuration
view and edit the mail sending configuration, including the smtp domain name and credentials.

Patches

The problem has been patched on XWiki 14.4.8, 15.1, and 14.10.6.

Workarounds

The rights of the Mail.MailConfig page can be manually updated so that only a set of trusted users can view, edit and delete it (e.g., the XWiki.XWikiAdminGroup group).
On 14.4.8+, 15.1-rc-1+, or 14.10.5+, if at startup Mail.MailConfig does not have any rights defined, view, edit and delete rights are automatically granted to the XWiki.XWikiAdminGroup group.
See the corresponding patch.

References

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

Permalink: https://github.com/advisories/GHSA-g75c-cjr6-39mc
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nNzVjLWNqcjYtMzltY84AAz9m
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 11 months ago
Updated: 6 months ago

CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Identifiers: GHSA-g75c-cjr6-39mc, CVE-2023-34465
References:

Repository: https://github.com/xwiki/xwiki-platform
Blast Radius: 1.0

Affected Packages

maven:org.xwiki.platform:xwiki-platform-mail-send-default

Affected Version Ranges: >= 15.0-rc-1, < 15.1, >= 14.5, < 14.10.6, >= 11.8-rc-1, < 14.4.8
Fixed in: 15.1, 14.10.6, 14.4.8