Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-35151: Email addresses are shown in clear in REST results

XWiki Platform is a generic wiki platform. Starting in version 7.3-milestone-1 and prior to versions 14.4.8, 14.10.6, and 15.1, ny user can call a REST endpoint and obtain the obfuscated passwords, even when the mail obfuscation is activated. The issue has been patched in XWiki 14.4.8, 14.10.6, and 15.1. There is no known workaround.

CVE
Open in Source

  • **Type: ** Bug

  • Resolution: Fixed

  • **Priority: ** Blocker

  • Affects Version/s: 7.3-milestone-1

  • Component/s: REST

  • Development Priority:

    Medium

  • Documentation in Release Notes:

    N/A

  • Pull Request Status:

    Pull Request accepted

We need to check the obfuscation parameter and obfuscate the email if on.

Reproduction steps:

  • Create a user U1
  • Set an email
  • Activate email obfuscation
  • Query http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/XWiki/pages/U1/objects/XWiki.XWikiUsers/0 (the query must be done with a user with no edit rights on XWiki.U1 as we don’t obfuscate emails for users with edit rights)

Expected

  • The mail is obfuscated

Actual:

  • The mail is displayed un-obfuscated

Actually what’s really bad is that the same is true for password that are returned (hashed) to the end user, making them very easily breakable offline (e.g., rainbow tables and such)

Related news

GHSA-8g9c-c9cm-9c56: XWiki Platform may show email addresses in clear in REST results

### Impact Any user can call a REST endpoint and obtain the obfuscated passwords (even when the mail obfuscation is activated). For instance, by calling http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/XWiki/pages/U1/objects/XWiki.XWikiUsers/0 when user `U1` exists on wiki `xwiki`. ### Patches The issue has been patched on XWiki 14.4.8, 14.10.6, and 15.1 ### Workarounds There is no known workaround. It is advised to upgrade to one of the patched versions. ### References - https://jira.xwiki.org/browse/XWIKI-16138 - https://github.com/xwiki/xwiki-platform/commit/824cd742ecf5439971247da11bfe7e0ad2b10ede ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE