Vulnerability Details : CVE-2023-38509
Potential exploit
XWiki Platform is a generic wiki platform. In org.xwiki.platform:xwiki-platform-livetable-ui starting with version 3.5-milestone-1 and prior to versions 14.10.9 and 15.3-rc-1, the mail obfuscation configuration was not fully taken into account and is was still possible by obfuscated emails. This has been patched in XWiki 14.10.9 and XWiki 15.3-rc-1. A workaround is to modify the page `XWiki.LiveTableResultsMacros` following the patch.
Products affected by CVE-2023-38509
- cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-38509
0.14%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 51 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-38509
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
NIST | |
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2023-38509
-
The product makes resources available to untrusted parties when those resources are only intended to be accessed by the product.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-38509
-
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g9w4-prf3-m25g
Obfuscated email addresses should not be sorted · Advisory · xwiki/xwiki-platform · GitHubThird Party Advisory
-
https://github.com/xwiki/xwiki-platform/commit/1dfb6804d4d412794cbe0098d4972b8ac263df0c
XWIKI-20601: Improved User Directory sorting · xwiki/xwiki-platform@1dfb680 · GitHubPatch
-
ttps://github.com/xwiki/xwiki-platform/commit/1dfb6804d4d412794cbe0098d4972b8ac263df0
Broken Link
-
https://github.com/xwiki/xwiki-platform/commit/1dfb6804d4d412794cbe0098d4972b8ac263df0
XWIKI-20601: Improved User Directory sorting · xwiki/xwiki-platform@1dfb680 · GitHub
-
https://jira.xwiki.org/browse/XWIKI-20601
[XWIKI-20601] Obfuscated email addresses should not be sorted - XWiki.org JIRAExploit;Issue Tracking;Vendor Advisory
Jump to