Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wODh3LWZoeHcteHZjY84AAv_W
Exposure of Private Personal Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-rest-server
Impact
The modifications rest endpoint does not filter out entries according to the user's rights. Therefore, information hidden from unauthorized users are exposed though the modifications rest endpoint (e.g., comments, page names...).
Patches
Users should upgrade to XWiki 14.6+, 14.4.3+, or13.10.8+. Older versions have not been patched.
Workarounds
No known workaround.
References
- Patch: https://github.com/xwiki/xwiki-platform/commit/38dc1aa1a4435f24d58f5b8e4566cbcb0971f8ff
- Jira issue: https://jira.xwiki.org/browse/XWIKI-19997
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wODh3LWZoeHcteHZjY84AAv_W
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: almost 2 years ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-p88w-fhxw-xvcc, CVE-2022-41936
References:
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p88w-fhxw-xvcc
- https://nvd.nist.gov/vuln/detail/CVE-2022-41936
- https://github.com/xwiki/xwiki-platform/commit/38dc1aa1a4435f24d58f5b8e4566cbcb0971f8ff
- https://jira.xwiki.org/browse/XWIKI-19997
- https://github.com/advisories/GHSA-p88w-fhxw-xvcc
Blast Radius: 1.0
Affected Packages
maven:org.xwiki.platform:xwiki-platform-rest-server
Affected Version Ranges: >= 14.5.0, < 14.6, >= 14.0.0, < 14.4.3, >= 8.1, < 13.10.8Fixed in: 14.6, 14.4.3, 13.10.8