Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-34465: Mail.MailConfig can be edited by any user with edit rights

XWiki Platform is a generic wiki platform. Starting in version 11.8-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.2, Mail.MailConfig can be edited by any logged-in user by default. Consequently, they can change the mail obfuscation configuration and view and edit the mail sending configuration, including the smtp domain name and credentials. The problem has been patched in XWiki 14.4.8, 14.10.6, and 15.1. As a workaround, the rights of the Mail.MailConfig page can be manually updated so that only a set of trusted users can view, edit and delete it (e.g., the XWiki.XWikiAdminGroup group).

CVE
Open in Source
#jira

Log inSkip to main contentSkip to sidebar

  • Dashboards

  • Projects

  • Issues

  • Give feedback to Atlassian

  • Help

    • Jira Core help
    • Keyboard Shortcuts
    • About Jira
    • Jira Credits

  • Log In

  1. XWiki Platform
  2. XWIKI-20519

XMLWordPrintable

Details

  • **Type: ** Security

  • Resolution: Fixed

  • **Priority: ** Blocker

  • Affects Version/s: 11.8-rc-1

  • Component/s: Mail

  • Documentation in Release Notes:

    N/A

  • Pull Request Status:

    Awaiting Committer feedback

Description

Mail.MailConfig is expected to be editable by admins only as it contains some configurations (e.g., the obfuscation of mails). But currently, there is no restrictions and it can be edited by any user with edit rights.

Mail.SendMailConfigClass in Mail.MailConfig can also be edited in the same way, allowing any user to redirect send mail to a rogue smtp server, allowing the received all emitted mails.

Attachments

Issue Links

is related to

XWIKI-20671 Objects of Mail.MailConfig can be edited by any user with edit rights

  • Closed

relates to

XWIKI-15196 SMTP settings used for each new wiki not inherited from xwiki.properties

  • Closed

links to

Activity

People

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

02/Jan/23 16:04

Updated:

3 days ago 16:20

Resolved:

21/Feb/23 17:20

Related news

GHSA-g75c-cjr6-39mc: XWiki Platform's Mail.MailConfig can be edited by any user with edit rights

### Impact `Mail.MailConfig` can be edited by any logged-in user by default. Consequently, they can: - change the mail obfuscation configuration - view and edit the mail sending configuration, including the smtp domain name and credentials. ### Patches The problem has been patched on XWiki 14.4.8, 15.1, and 14.10.6. ### Workarounds The rights of the `Mail.MailConfig` page can be manually updated so that only a set of trusted users can view, edit and delete it (e.g., the `XWiki.XWikiAdminGroup` group). On 14.4.8+, 15.1-rc-1+, or 14.10.5+, if at startup `Mail.MailConfig` does not have any rights defined, `view`, `edit ` and `delete` rights are automatically granted to the `XWiki.XWikiAdminGroup` group. See the corresponding [patch](https://github.com/xwiki/xwiki-platform/commit/d28d7739089e1ae8961257d9da7135d1a01cb7d4). ### References - https://jira.xwiki.org/browse/XWIKI-20519 + https://jira.xwiki.org/browse/XWIKI-20671 - https://github.com/xwiki/xwiki-platform/commit/d28d7739089e1a...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE