Low severityNVD Advisory· Published Apr 15, 2023· Updated Feb 6, 2025
Unauthenticated user can have information about hidden users on subwikis through uorgsuggest.vm
CVE-2023-29203
Description
XWiki Commons are technical libraries common to several other top level XWiki projects. It's possible to list some users who are normally not viewable from subwiki by requesting users on a subwiki which allows only global users with uorgsuggest.vm. This issue only concerns hidden users from main wiki. Note that the disclosed information are the username and the first and last name of users, no other information is leaked. The problem has been patched on XWiki 13.10.8, 14.4.3 and 14.7RC1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-web-templatesMaven | >= 13.9-rc-1, < 13.10.8 | 13.10.8 |
org.xwiki.platform:xwiki-platform-web-templatesMaven | >= 14.0-rc-1, < 14.4.3 | 14.4.3 |
org.xwiki.platform:xwiki-platform-web-templatesMaven | >= 14.5, < 14.7-rc-1 | 14.7-rc-1 |
Affected products
1- Range: >= 13.9-rc-1, < 13.10.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-vvp7-r422-rx83ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-29203ghsaADVISORY
- github.com/xwiki/xwiki-platform/pull/1883ghsax_refsource_MISCWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-97jg-43c9-q6pfghsaWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-vvp7-r422-rx83ghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XWIKI-20007ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.