CVE-2023-35151: XWiki Platform may show email addresses in clear in REST results

7.5 CVSS

Description

XWiki Platform is a generic wiki platform. Starting in version 7.3-milestone-1 and prior to versions 14.4.8, 14.10.6, and 15.1, ny user can call a REST endpoint and obtain the obfuscated passwords, even when the mail obfuscation is activated. The issue has been patched in XWiki 14.4.8, 14.10.6, and 15.1. There is no known workaround.

Classification

CVE ID: CVE-2023-35151

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

Affected Products

Vendor: xwiki

Product: xwiki-platform

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.15% (probability of being exploited)

EPSS Percentile: 51.45% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8g9c-c9cm-9c56
https://github.com/xwiki/xwiki-platform/commit/824cd742ecf5439971247da11bfe7e0ad2b10ede
https://jira.xwiki.org/browse/XWIKI-16138

Timeline

2024-11-28 00:11:24 UTC
CVE

XWiki Platform may show email addresses in clear in REST results