Description
XWiki Platform is a generic wiki platform. Starting in version 11.8-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.2, `Mail.MailConfig` can be edited by any logged-in user by default. Consequently, they can change the mail obfuscation configuration and view and edit the mail sending configuration, including the smtp domain name and credentials. The problem has been patched in XWiki 14.4.8, 14.10.6, and 15.1. As a workaround, the rights of the `Mail.MailConfig` page can be manually updated so that only a set of trusted users can view, edit and delete it (e.g., the `XWiki.XWikiAdminGroup` group).
References (5)
Core 5
Core References
Vendor Advisory x_refsource_confirm
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g75c-cjr6-39mc
Patch, Vendor Advisory x_refsource_misc
https://github.com/xwiki/xwiki-platform/commit/8910b8857d3442d2e8142f655fdc0512930354d1
Patch, Vendor Advisory x_refsource_misc
https://github.com/xwiki/xwiki-platform/commit/d28d7739089e1ae8961257d9da7135d1a01cb7d4
Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://jira.xwiki.org/browse/XWIKI-20519
Exploit, Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://jira.xwiki.org/browse/XWIKI-20671
Scores
CVSS v3
9.9
EPSS
0.0084
EPSS Percentile
74.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-269
Status
published
Products (4)
org.xwiki.platform/xwiki-platform-mail-send-default
11.8-rc-1 - 14.4.8Maven
xwiki/xwiki
11.8 milestone1
xwiki/xwiki
15.0
xwiki/xwiki
11.8.1 - 14.4.8
Published
Jun 23, 2023
Tracked Since
Feb 18, 2026