CVE-2023-35151

XWiki Platform is a generic wiki platform. Starting in version 7.3-milestone-1 and prior to versions 14.4.8, 14.10.6, and 15.1, ny user can call a REST endpoint and obtain the obfuscated passwords, even when the mail obfuscation is activated. The issue has been patched in XWiki 14.4.8, 14.10.6, and 15.1. There is no known workaround.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:7.3:milestone1:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:15.0:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:15.0:rc1:*:*:*:*:*:*

History

30 Jun 2023, 07:28

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
References (MISC) https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8g9c-c9cm-9c56 - (MISC) https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8g9c-c9cm-9c56 - Vendor Advisory
References (MISC) https://jira.xwiki.org/browse/XWIKI-16138 - (MISC) https://jira.xwiki.org/browse/XWIKI-16138 - Issue Tracking, Vendor Advisory
References (MISC) https://github.com/xwiki/xwiki-platform/commit/824cd742ecf5439971247da11bfe7e0ad2b10ede - (MISC) https://github.com/xwiki/xwiki-platform/commit/824cd742ecf5439971247da11bfe7e0ad2b10ede - Patch, Vendor Advisory
CWE CWE-359 CWE-668
CPE cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:7.3:milestone1:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:15.0:rc1:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:15.0:*:*:*:*:*:*:*
First Time Xwiki
Xwiki xwiki

23 Jun 2023, 17:21

Type Values Removed Values Added
New CVE

Information

Published : 2023-06-23 17:15

Updated : 2024-02-28 20:13


NVD link : CVE-2023-35151

Mitre link : CVE-2023-35151

CVE.ORG link : CVE-2023-35151


JSON object : View

Products Affected

xwiki

  • xwiki
CWE
CWE-668

Exposure of Resource to Wrong Sphere

CWE-359

Exposure of Private Personal Information to an Unauthorized Actor