CVE-2023-34467

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 3.5-milestone-1 through 14.4.7 XWiki Platform versions 14.5.0 through 14.10.3 XWiki Platform versions 15.0-rc-0

Description The mail obfuscation configuration was not fully taken into account, allowing users to infer the mail content. While the mail displayed to the end user was obfuscated, the rest response was also containing the mail unobfuscated, and users were able to filter and sort on the unobfuscated. The consequence was the possibility to retrieve the email addresses of all users even when obfuscated.

Recommendations For XWiki Platform versions 3.5-milestone-1 through 14.4.7, update to version 14.4.8 or later. For XWiki Platform versions 14.5.0 through 14.10.3, update to version 14.10.4 or later. For XWiki Platform versions 15.0-rc-0, update to version 15.0-rc-1 or later. As a temporary workaround, consider modifying the page XWiki.LiveTableResultsMacros following the provided patch.