CVE-2023-50720

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.10.15 XWiki Platform versions prior to 15.5.2 XWiki Platform versions prior to 15.7-rc-1

Description The Solr-based search in XWiki discloses the email addresses of users even when obfuscation of email addresses is enabled. This can be demonstrated by searching for objcontent:email* using XWiki's regular search interface. The issue is related to the lack of protection for service data, which can allow a remote attacker to reveal information about user email addresses.

Recommendations For XWiki Platform versions prior to 14.10.15, update to version 14.10.15 or later. For XWiki Platform versions prior to 15.5.2, update to version 15.5.2 or later. For XWiki Platform versions prior to 15.7-rc-1, update to version 15.7-rc-1 or later. As a temporary workaround, consider restricting access to the Solr-based search feature until the issue is resolved. Avoid using the objcontent:email* search query in the affected API endpoint until the issue is resolved.