PT-2023-24894 · Xwiki · Xwiki Platform
Manuel Leduc
·
Published
2023-06-20
·
Updated
2023-06-30
·
CVE-2023-34466
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
XWiki Platform versions 5.0-milestone-1 through 14.4.7
XWiki Platform versions 14.4.8 is not affected, but versions prior to 14.10.4 are affected
XWiki Platform versions prior to 15.0-rc-1
Description
The XWiki Platform leaks tags from pages not viewable to the current user through the tags API. This information can also be exploited to infer the document reference of non-viewable pages.
Recommendations
For XWiki Platform versions 5.0-milestone-1 through 14.4.7, update to version 14.4.8 or later.
For XWiki Platform versions prior to 14.10.4, update to version 14.10.4 or later.
For XWiki Platform versions prior to 15.0-rc-1, update to version 15.0-rc-1 or later.
As a temporary workaround, consider restricting access to the tags API until a patch is available.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Xwiki Platform