CVE-2023-35151
EUVD-2023-174923.06.2023, 17:15
XWiki Platform is a generic wiki platform. Starting in version 7.3-milestone-1 and prior to versions 14.4.8, 14.10.6, and 15.1, ny user can call a REST endpoint and obtain the obfuscated passwords, even when the mail obfuscation is activated. The issue has been patched in XWiki 14.4.8, 14.10.6, and 15.1. There is no known workaround.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| xwiki | xwiki | 7.4 ≤ 𝑥 < 14.4.8 |
| xwiki | xwiki | 14.10 ≤ 𝑥 < 14.10.6 |
| xwiki | xwiki | 7.3:milestone1 |
| xwiki | xwiki | 15.0 |
| xwiki | xwiki | 15.0:rc1 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-359 - Exposure of Private Personal Information to an Unauthorized ActorThe product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
- CWE-668 - Exposure of Resource to Wrong SphereThe product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
References