PT-2023-22200 · Xwiki · Xwiki Commons

Tmortagne

Publicado

2023-04-12

Atualizado

2023-04-26

CVE-2023-29203

CVSS v3.1

3.7

Baixa

Vetor

AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions XWiki Commons versions prior to 13.10.8 XWiki Commons versions prior to 14.4.3 XWiki Commons versions prior to 14.7RC1

Description The issue concerns hidden users from the main wiki, allowing their usernames and first and last names to be disclosed by requesting users on a subwiki that allows only global users with uorgsuggest.vm. This issue only affects hidden users from the main wiki, and no other information is leaked.

Recommendations For versions prior to 13.10.8, update to version 13.10.8 or later. For versions prior to 14.4.3, update to version 14.4.3 or later. For versions prior to 14.7RC1, update to version 14.7RC1 or later. As a temporary workaround, consider patching directly uorgsuggest.vm to apply the same changes as in the provided GitHub pull request.

Exploit

Correção

Exposure of Resource to Wrong Sphere

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-359CWE-668

Identificadores relacionados

CVE-2023-29203

GHSA-VVP7-R422-RX83

Produtos afetados

Xwiki Commons

PT-2023-22200 · Xwiki · Xwiki Commons

CVE-2023-29203

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 10