Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-34465

Good to know:

icon

Date: June 23, 2023

XWiki Platform is a generic wiki platform. Starting in version 11.8-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.2, `Mail.MailConfig` can be edited by any logged-in user by default. Consequently, they can change the mail obfuscation configuration and view and edit the mail sending configuration, including the smtp domain name and credentials. The problem has been patched in XWiki 14.4.8, 14.10.6, and 15.1. As a workaround, the rights of the `Mail.MailConfig` page can be manually updated so that only a set of trusted users can view, edit and delete it (e.g., the `XWiki.XWikiAdminGroup` group).

Language: Java

Severity Score

Related Resources (8)

https://github.com/advisories/GHSA-g75c-cjr6-39mc
https://jira.xwiki.org/browse/XWIKI-20671
https://nvd.nist.gov/vuln/detail/CVE-2023-34465
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g75c-cjr6-39mc
https://github.com/xwiki/xwiki-platform/commit/8910b8857d3442d2e8142f655fdc0512930354d1
https://jira.xwiki.org/browse/XWIKI-20519
https://github.com/xwiki/xwiki-platform/commit/d28d7739089e1ae8961257d9da7135d1a01cb7d4
https://www.mend.io/vulnerability-database/CVE-2023-34465

Severity Score

Weakness Type (CWE)

Improper Privilege Management

CWE-269

Top Fix

icon

Upgrade Version

Upgrade to version org.xwiki.platform:xwiki-platform-security-authorization-bridge:14.4.8,14.10.6,15.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): NONE

Do you need more information?

Contact Us