Ynoof

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 14.10.15 XWiki Platform versions prior to 15.5.2 XWiki Platform versions prior to 15.7-rc-1 **Description** The Solr-based search in XWiki discloses the email addresses of users even when obfuscation of email addresses is enabled. This can be demonstrated by searching for `objcontent:email*` using XWiki's regular search interface. The issue is related to the lack of protection for service data, which can allow a remote attacker to reveal information about user email addresses. **Recommendations** For XWiki Platform versions prior to 14.10.15, update to version 14.10.15 or later. For XWiki Platform versions prior to 15.5.2, update to version 15.5.2 or later. For XWiki Platform versions prior to 15.7-rc-1, update to version 15.7-rc-1 or later. As a temporary workaround, consider restricting access to the Solr-based search feature until the issue is resolved. Avoid using the `objcontent:email*` search query in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 14.10.6 XWiki Platform versions prior to 15.1-rc-1 **Description** The issue allows an attacker to perform a cross-site scripting (XSS) attack by forging a request to a delete attachment action with a specific attachment name. This can be exploited if the attacker knows the CSRF token of the user or if the user ignores the warning about the missing CSRF token. **Recommendations** For versions prior to 14.10.6, update to XWiki 14.10.6 to resolve the issue. For versions prior to 15.1-rc-1, update to XWiki 15.1-rc-1 to resolve the issue. As a temporary workaround, consider restricting access to the delete attachment action until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** XWiki versions 4.2-milestone-1 through 14.10 **Description** The issue concerns the "restricted" mode of the HTML cleaner in XWiki, which allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid HTML comments. This vulnerability enables server-side code execution with programming rights, impacting the confidentiality, integrity, and availability of the XWiki instance. When a privileged user with programming rights visits a malicious comment, the JavaScript code is executed in the context of the user session. **Recommendations** For versions prior to 14.10, upgrade to XWiki 14.10 or later, as it includes the fix where HTML comments are removed in restricted mode and a check is introduced to ensure comments don't start with `>`. At the moment, there is no other information about additional workarounds apart from upgrading to a version including the fix.