CVE-2023-35151

HIGH

Xwiki < 14.4.8 - Exposure to Wrong Actor

Title source: rule

Description

XWiki Platform is a generic wiki platform. Starting in version 7.3-milestone-1 and prior to versions 14.4.8, 14.10.6, and 15.1, ny user can call a REST endpoint and obtain the obfuscated passwords, even when the mail obfuscation is activated. The issue has been patched in XWiki 14.4.8, 14.10.6, and 15.1. There is no known workaround.

References (3)

[Vendor Advisory] https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8g9c-c9cm-9c56

[Patch, Vendor Advisory] https://github.com/xwiki/xwiki-platform/commit/824cd742ecf5439971247da11bfe7e0ad2b10ede

View Patch ZIP pw:eip

[Issue Tracking, Vendor Advisory] https://jira.xwiki.org/browse/XWIKI-16138

Scores

CVSS v3 7.5

EPSS 0.0042

EPSS Percentile 61.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-359 CWE-668

Status published

Products (4)

org.xwiki.platform/xwiki-platform-rest-server 7.3-milestone-1 - 14.4.8Maven

xwiki/xwiki 7.3 milestone1

xwiki/xwiki 15.0 (2 CPE variants)

xwiki/xwiki 7.4 - 14.4.8

Published Jun 23, 2023

Tracked Since Feb 18, 2026