Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-36091: [XWIKI-18849] Private user data are accessible through suggest.vm

XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. Through the suggestion feature, string and list properties of objects the user shouldn’t have access to can be accessed in versions prior to 13.10.4 and 14.2. This includes private personal information like email addresses and salted password hashes of registered users but also other information stored in properties of objects. Sensitive configuration fields like passwords for LDAP or SMTP servers could be accessed. By exploiting an additional vulnerability, this issue can even be exploited on private wikis at least for string properties. The issue is patched in version 13.10.4 and 14.2. Password properties are no longer displayed and rights are checked for other properties. A workaround is available. The template file suggest.vm can be replaced by a patched version without upgrading or restarting XWiki unless it has been overridden, in which case the overridden template should be patched, too. This might need adjustments for older versions, though.

CVE
Open in Source
#vulnerability#web#ldap#auth

  • Type: Bug

  • Status: Closed

  • Priority: Blocker

  • Resolution: Fixed

  • Affects Version/s: 1.3 RC1

  • Environment:

    A standard Wiki and a completely closed Wiki

  • Development Priority:

    High

  • Documentation in Release Notes:

    N/A

Reproduction steps:

  • Go to:
    • http://<server>/bin/login/XWiki/XWikiLogin?xpage=suggest&classname=XWiki.XWikiUsers&templatename=&input=&fieldname=email

Results:

  • suggets template let access email, password hash and about every user profile information

Expected Results:

  • None of the previous informations should be accessible

is related to

XWIKI-18851 Unauthenticated user can retrieve user information through getdeleteddocuments.vm

  • Closed

XWIKI-16544 Unauthenticated user can retrieve the list of users through getdocuments.vm

  • Closed

XWIKI-18850 Unauthenticated user can retrieve the list of users through uorgsuggest.vm

  • Closed

links to

Related news

GHSA-599v-w48h-rjrm: XWiki Platform Web Templates vulnerable to Missing Authorization, Exposure of Private Personal Information to Unauthorized Actor

### Impact Through the suggestion feature, string and list properties of objects the user shouldn't have access to can be accessed. This includes private personal information like email addresses and salted password hashes of registered users but also other information stored in properties of objects. Sensitive configuration fields like passwords for LDAP or SMTP servers could be accessed. By exploiting an additional vulnerability, this issue can even be exploited on [private wikis](https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Access%20Rights/#HPrivateWiki) at least for string properties. ### Patches The issue is patched in version 13.10.4 and 14.2. Password properties are no longer displayed and rights are checked for other properties. ### Workarounds The template file `suggest.vm` can be replaced by a patched version without upgrading or restarting XWiki unless it has been [overridden](https://extensions.xwiki.org/xwiki/bin/view/Extension/Skin%20Application#HHowtoo...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE