PT-2023-22200 · Xwiki · Xwiki Commons

Tmortagne

Published

2023-04-12

Updated

2023-04-26

CVE-2023-29203

CVSS v3.1

3.7

Low

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions XWiki Commons versions prior to 13.10.8 XWiki Commons versions prior to 14.4.3 XWiki Commons versions prior to 14.7RC1

Description The issue concerns hidden users from the main wiki, allowing their usernames and first and last names to be disclosed by requesting users on a subwiki that allows only global users with uorgsuggest.vm. This issue only affects hidden users from the main wiki, and no other information is leaked.

Recommendations For versions prior to 13.10.8, update to version 13.10.8 or later. For versions prior to 14.4.3, update to version 14.4.3 or later. For versions prior to 14.7RC1, update to version 14.7RC1 or later. As a temporary workaround, consider patching directly uorgsuggest.vm to apply the same changes as in the provided GitHub pull request.

Exploit

Fix

Exposure of Resource to Wrong Sphere

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-359CWE-668

Related Identifiers

CVE-2023-29203

GHSA-VVP7-R422-RX83

Affected Products

Xwiki Commons

PT-2023-22200 · Xwiki · Xwiki Commons

CVE-2023-29203

Weakness Enumeration

Related Identifiers

Affected Products

References · 10