GitHub Advisory DatabaseGHSA-35FG-HJCR-J65FInformation exposure in xwiki-platform
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
52.0%
Impact
It’s possible to guess if a user has an account on the wiki by using the “Forgot your password” form, even if the wiki is closed to guest users.
Patches
The problem has been patched on XWiki 12.10.9, 13.4.1 and 13.6RC1.
Workarounds
There’s no easy workaround other than applying the upgrade.
References
https://jira.xwiki.org/browse/XWIKI-18787
For more information
If you have any questions or comments about this advisory:
- Open an issue in JIRA
- Email us at XWiki Security Mailing list
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| org.xwiki.platform | xwiki-platform-web | * | cpe:2.3:a:org.xwiki.platform:xwiki-platform-web:*:*:*:*:*:*:*:* |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
52.0%