Vincent Massol

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 7.3-milestone-1 through 14.4.7 XWiki Platform versions 14.4.8 is not affected, but versions prior to 14.4.8 are affected, the same applies to versions 14.10.6 and 15.1, so the correct format is: XWiki Platform versions prior to 14.4.8 XWiki Platform versions prior to 14.10.6 XWiki Platform versions prior to 15.1 However, since versions prior to 14.4.8 already include versions prior to 14.10.6 and 15.1, we can simplify to: XWiki Platform versions prior to 14.4.8 **Description** The issue allows any user to call a REST endpoint and obtain the obfuscated passwords, even when the mail obfuscation is activated. For instance, by calling "http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/XWiki/pages/U1/objects/XWiki.XWikiUsers/0" when user `U1` exists on wiki `xwiki`. **Recommendations** To resolve the issue, upgrade to one of the patched versions: 14.4.8, 14.10.6, or 15.1. As there is no known workaround, it is advised to upgrade to one of the patched versions.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 13.10.11 XWiki Platform versions prior to 14.4.7 XWiki Platform versions prior to 14.10-rc-1 **Description** The XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions, any user with edit rights on a document can trigger an XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host. This issue can be exploited by creating a forged XAR file with a `package.xml` content that includes an `ENTITY` referencing a file on the server, such as `file:///etc/passwd`, and then uploading it to a wiki page and triggering the import using a specific URL, for example, `http://localhost:8080/xwiki/bin/view/Main/XXE?sheet=XWiki.AdminImportSheet&file=test.xar`. **Recommendations** For versions prior to 13.10.11, upgrade to version 13.10.11 or later. For versions prior to 14.4.7, upgrade to version 14.4.7 or later. For versions prior to 14.10-rc-1, upgrade to version 14.10-rc-1 or later. As a temporary workaround for users unable to upgrade, apply the patch `e3527b98fd` manually to the `XarPackage` java class.