CVE-2023-35151

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 7.3-milestone-1 through 14.4.7 XWiki Platform versions 14.4.8 is not affected, but versions prior to 14.4.8 are affected, the same applies to versions 14.10.6 and 15.1, so the correct format is: XWiki Platform versions prior to 14.4.8 XWiki Platform versions prior to 14.10.6 XWiki Platform versions prior to 15.1

However, since versions prior to 14.4.8 already include versions prior to 14.10.6 and 15.1, we can simplify to: XWiki Platform versions prior to 14.4.8

Description The issue allows any user to call a REST endpoint and obtain the obfuscated passwords, even when the mail obfuscation is activated. For instance, by calling "http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/XWiki/pages/U1/objects/XWiki.XWikiUsers/0" when user U1 exists on wiki xwiki.

Recommendations To resolve the issue, upgrade to one of the patched versions: 14.4.8, 14.10.6, or 15.1. As there is no known workaround, it is advised to upgrade to one of the patched versions.