CVE-2023-50720 MEDIUM

CVE-2023-50720: XWiki Platform Solr search discloses email addresses of users

Vendor Xwiki

Product xwiki-platform

Weakness CWE-200 · Info exposure

Published December 15, 2023

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

XWiki Platform is a generic wiki platform. Prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the Solr-based search in XWiki discloses the email addresses of users even when obfuscation of email addresses is enabled. To demonstrate the vulnerability, search for `objcontent:email*` using XWiki's regular search interface. This has been fixed in XWiki 14.10.15, 15.5.2 and 15.7RC1 by not indexing email address properties when obfuscation is enabled. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

December 15, 2023 CVE published

August 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-50720 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

Identifiers

CVE CVE-2023-50720

CWE CWE-200

CVSS 5.3 / MEDIUM

Affected versions

Vendor Xwiki

Product xwiki-platform

Affected < 14.10.15

Vendor Xwiki

Product xwiki-platform

Affected >= 15.0-rc-1, < 15.5.2

Vendor Xwiki

Product xwiki-platform

Affected >= 15.6-rc-1, < 15.7-rc-1

CVE-2023-50720: XWiki Platform Solr search discloses email addresses of users

01Description

02Disclosure timeline

03References

04Related CVE