logo

Database

Business information leak In org.xwiki.platform:xwiki-platform-rest-server

Description

XWiki Platform may show email addresses in clear in REST results

Impact

Any user can call a REST endpoint and obtain the obfuscated passwords (even when the mail obfuscation is activated).

For instance, by calling http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/XWiki/pages/U1/objects/XWiki.XWikiUsers/0 when user U1 exists on wiki xwiki.

Patches

The issue has been patched on XWiki 14.4.8, 14.10.6, and 15.1

Workarounds

There is no known workaround. It is advised to upgrade to one of the patched versions.

References

For more information

If you have any questions or comments about this advisory:

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-351512. NVD-2023-351513. OSV-2023-351514. GHSA-8g9c-c9cm-9c565. GCVE-2023-35151

References

1. https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8g9c-c9cm-9c562. https://github.com/xwiki/xwiki-platform/commit/824cd742ecf5439971247da11bfe7e0ad2b10ede3. https://jira.xwiki.org/browse/XWIKI-16138

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.