GHSA-8g9c-c9cm-9c56
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8g9c-c9cm-9c56
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-8g9c-c9cm-9c56/GHSA-8g9c-c9cm-9c56.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8g9c-c9cm-9c56
- Aliases
- Published
- 2023-06-20T16:46:29Z
- Modified
- 2023-11-08T04:12:50.256108Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- XWiki Platform may show email addresses in clear in REST results
- Details
-
Impact
Any user can call a REST endpoint and obtain the obfuscated passwords (even when the mail obfuscation is activated).
For instance, by calling http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/XWiki/pages/U1/objects/XWiki.XWikiUsers/0 when user
U1exists on wikixwiki.Patches
The issue has been patched on XWiki 14.4.8, 14.10.6, and 15.1
Workarounds
There is no known workaround. It is advised to upgrade to one of the patched versions.
References
- https://jira.xwiki.org/browse/XWIKI-16138
- https://github.com/xwiki/xwiki-platform/commit/824cd742ecf5439971247da11bfe7e0ad2b10ede
For more information
If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List
- Database specific
{ "nvd_published_at": "2023-06-23T17:15:09Z", "cwe_ids": [ "CWE-359", "CWE-668" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-06-20T16:46:29Z" }- References
Affected packages
Maven / org.xwiki.platform:xwiki-platform-rest-server
Package
- Name
- org.xwiki.platform:xwiki-platform-rest-server
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-rest-server
Maven / org.xwiki.platform:xwiki-platform-rest-server
Package
- Name
- org.xwiki.platform:xwiki-platform-rest-server
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-rest-server
Maven / org.xwiki.platform:xwiki-platform-rest-server
Package
- Name
- org.xwiki.platform:xwiki-platform-rest-server
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-rest-server