Headline
GHSA-7f2f-pcv3-j2r7: XWiki Platform's tags on non-viewable pages can be revealed to users
Impact
Tags from pages not viewable to the current user are leaked by the tags API. This information can also be exploited to infer the document reference of non-viewable pages.
Patches
This vulnerability has been patched in XWiki 14.4.8, 14.10.4, and 15.0 RC1.
Workarounds
There is no workaround apart from upgrading to a fixed version.
References
- https://jira.xwiki.org/browse/XWIKI-20002
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
Package
maven org.xwiki.platform:xwiki-platform-tag-api (Maven)
Affected versions
>= 5.0-milestone-1, < 14.4.8
>= 14.5, < 14.10.4
Patched versions
14.4.8
14.10.4
Description
Impact
Tags from pages not viewable to the current user are leaked by the tags API.
This information can also be exploited to infer the document reference of non-viewable pages.
Patches
This vulnerability has been patched in XWiki 14.4.8, 14.10.4, and 15.0 RC1.
Workarounds
There is no workaround apart from upgrading to a fixed version.
References
- https://jira.xwiki.org/browse/XWIKI-20002
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
References
- GHSA-7f2f-pcv3-j2r7
- https://jira.xwiki.org/browse/XWIKI-20002
manuelleduc published to xwiki/xwiki-platform
Jun 20, 2023
Published to the GitHub Advisory Database
Jun 20, 2023
Reviewed
Jun 20, 2023
Related news
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 5.0-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, tags from pages not viewable to the current user are leaked by the tags API. This information can also be exploited to infer the document reference of non-viewable pages. This vulnerability has been patched in XWiki 14.4.8, 14.10.4, and 15.0-rc-1.