Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-48241

Good to know:

icon
icon

Date: November 20, 2023

XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions 14.10.15, 15.5.1, and 15.6RC1, the Solr-based search suggestion provider that also duplicates as generic JavaScript API for search results in XWiki exposes the content of all documents of all wikis to anybody who has access to it, by default it is public. This exposes all information stored in the wiki (but not some protected information like password hashes). While there is a right check normally, the right check can be circumvented by explicitly requesting fields from Solr that don't include the data for the right check. This has been fixed in XWiki 15.6RC1, 15.5.1 and 14.10.15 by not listing documents whose rights cannot be checked. No known workarounds are available.

Language: Java

Severity Score

Related Resources (6)

https://jira.xwiki.org/browse/XWIKI-21138
https://github.com/xwiki/xwiki-platform
https://nvd.nist.gov/vuln/detail/CVE-2023-48241
https://github.com/xwiki/xwiki-platform/commit/93b8ec702d7075f0f5794bb05dfb651382596764
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7fqr-97j7-jgf4
https://www.mend.io/vulnerability-database/CVE-2023-48241

Severity Score

Weakness Type (CWE)

Improper Authorization

CWE-285

Insufficient Information

NVD-CWE-noinfo

Top Fix

icon

Upgrade Version

Upgrade to version org.xwiki.platform:xwiki-platform-search-solr-query:14.10.15,15.5.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us