CVE-2023-34465

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 11.8-rc-1 through 14.4.7 XWiki Platform versions 14.4.8 through 14.10.5 XWiki Platform versions 15.1-rc-1 through 15.1

Description The issue is related to insecure management of privileges in the Mail.MailConfig component of the XWiki Platform. This allows any logged-in user to edit the Mail.MailConfig by default, potentially changing the mail obfuscation configuration and viewing or editing the mail sending configuration, including the smtp domain name and credentials.

Recommendations For XWiki Platform versions 11.8-rc-1 through 14.4.7, update to version 14.4.8 or later. For XWiki Platform versions 14.4.8 through 14.10.5, update to version 14.10.6 or later. For XWiki Platform versions 15.1-rc-1 through 15.1, update to version 15.2 or later. As a temporary workaround, consider manually updating the rights of the Mail.MailConfig page so that only a set of trusted users can view, edit, and delete it, such as the XWiki.XWikiAdminGroup group.