Description

XWiki Platform is a generic wiki platform. Starting in version 7.3-milestone-1 and prior to versions 14.4.8, 14.10.6, and 15.1, ny user can call a REST endpoint and obtain the obfuscated passwords, even when the mail obfuscation is activated. The issue has been patched in XWiki 14.4.8, 14.10.6, and 15.1. There is no known workaround.

Remediation

References

https://github.com/xwiki/xwiki-platform/commit/824cd742ecf5439971247da11bfe7e0ad2b10ede

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8g9c-c9cm-9c56

https://jira.xwiki.org/browse/XWIKI-16138

Related Vulnerabilities

CVE-2023-33201 Vulnerability in maven package org.bouncycastle:bcprov-ext-jdk14

CVE-2021-33605 Vulnerability in maven package com.vaadin:vaadin-checkbox-flow

CVE-2022-39381 Vulnerability in npm package muhammara

CVE-2019-10241 Vulnerability in maven package org.eclipse.jetty:jetty-server

CVE-2019-1003049 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Severity

High

Classification

CWE-359 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Patch Vendor Advisory Issue Tracking