Guillaume Coquard

**Name of the Vulnerable Software and Affected Versions** XWiki Platform Web Templates versions prior to 13.10.4 and 14.2 **Description** The issue allows access to string and list properties of objects that the user should not have access to, including private personal information like email addresses and salted password hashes of registered users, as well as sensitive configuration fields like passwords for LDAP or SMTP servers. This can be exploited on private wikis at least for string properties by exploiting an additional vulnerability. **Recommendations** For versions prior to 13.10.4, update to version 13.10.4 or later. For versions prior to 14.2, update to version 14.2 or later. As a temporary workaround, consider replacing the template file `suggest.vm` with a patched version without upgrading or restarting XWiki, unless it has been overridden, in which case the overridden template should be patched, too. This might need adjustments for older versions, though.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 12.10.11 XWiki Platform versions prior to 13.4.4 XWiki Platform versions prior to 13.9-rc-1 **Description** A guest user without the right to view pages of the wiki can still list documents related to users of the wiki. The XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. **Recommendations** For XWiki Platform versions prior to 12.10.11, update to version 12.10.11 or later. For XWiki Platform versions prior to 13.4.4, update to version 13.4.4 or later. For XWiki Platform versions prior to 13.9-rc-1, update to version 13.9-rc-1 or later.