CVE-2023-38509

XWiki Platform's obfuscated email addresses should not be sorted

Severity Score

4.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

XWiki Platform is a generic wiki platform. In org.xwiki.platform:xwiki-platform-livetable-ui starting with version 3.5-milestone-1 and prior to versions 14.10.9 and 15.3-rc-1, the mail obfuscation configuration was not fully taken into account and is was still possible by obfuscated emails. This has been patched in XWiki 14.10.9 and XWiki 15.3-rc-1. A workaround is to modify the page `XWiki.LiveTableResultsMacros` following the patch.

XWiki Platform es una plataforma wiki genérica. En org.xwiki.platform:xwiki-platform-livetable-ui a partir de la versión 3.5-milestone-1 y antes de las versiones 14.10.9 y 15.3-rc-1, la configuración de ofuscación de correo no se tuvo completamente en cuenta y aún se posible mediante correos electrónicos ofuscados. Esto ha sido parcheado en XWiki 14.10.9 y XWiki 15.3-rc-1. Un workaround es modificar la página `XWiki.LiveTableResultsMacros` siguiendo el parche.

*Credits: N/A

CVSS Scores

NISTv3.1 4.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-07-18 CVE Reserved
2023-07-27 CVE Published
2024-08-02 CVE Updated
2024-08-02 EPSS Updated
2024-08-02 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak')

CAPEC

References (4)

URL	Tag	Source
https://github.com/xwiki/xwiki-platform/commit/1dfb6804d4d412794cbe0098d4972b8ac263df0	X_refsource_misc
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g9w4-prf3-m25g	Third Party Advisory

URL	Date	SRC
https://jira.xwiki.org/browse/XWIKI-20601	2024-08-02

URL	Date	SRC
https://github.com/xwiki/xwiki-platform/commit/1dfb6804d4d412794cbe0098d4972b8ac263df0c	2024-03-18

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Xwiki Search vendor "Xwiki"		Xwiki Search vendor "Xwiki" for product "Xwiki"				>= 3.5 < 14.10.9 Search vendor "Xwiki" for product "Xwiki" and version " >= 3.5 < 14.10.9"		-		Affected