CVE-2023-50719

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 7.2-milestone-2 through 14.10.14 XWiki Platform versions 15.5.1 and earlier XWiki Platform versions prior to 15.7-rc-1

Description The Solr-based search in XWiki discloses the password hashes of all users to anyone with view right on the respective user profiles. By default, all user profiles are public. This issue also affects configurations used by extensions that contain passwords like API keys, which would be disclosed as plain text. Approximately 2,208 instances are affected, mainly in Germany and the United States.

Recommendations For XWiki Platform versions 7.2-milestone-2 through 14.10.14, update to version 14.10.15 or later. For XWiki Platform versions 15.5.1 and earlier, update to version 15.5.2 or later. For XWiki Platform versions prior to 15.7-rc-1, update to version 15.7-rc-1 or later. As a temporary workaround, consider restricting access to user profiles and sensitive configurations until a patch is applied.