CVE-2023-29203
First published: Sat Apr 15 2023(Updated: )
XWiki Commons are technical libraries common to several other top level XWiki projects. It's possible to list some users who are normally not viewable from subwiki by requesting users on a subwiki which allows only global users with `uorgsuggest.vm`. This issue only concerns hidden users from main wiki. Note that the disclosed information are the username and the first and last name of users, no other information is leaked. The problem has been patched on XWiki 13.10.8, 14.4.3 and 14.7RC1.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Xwiki Xwiki | >=13.9<13.10.8 | |
| Xwiki Xwiki | >=14.4.0<14.4.3 | |
| Xwiki Xwiki | >=14.5<=14.6 | |
| Xwiki Xwiki | =13.9-rc1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2023-29203?
The severity of CVE-2023-29203 is rated as medium with a score of 5.3.
What is the nature of CVE-2023-29203?
CVE-2023-29203 allows unauthorized user listings from a subwiki where hidden users from the main wiki can be accessed.
How do I fix CVE-2023-29203?
To fix CVE-2023-29203, update your XWiki software to a version that addresses this vulnerability.
Which versions are affected by CVE-2023-29203?
CVE-2023-29203 affects XWiki versions from 13.9-rc1 up to 14.4.3 and also 14.5.
What types of applications are vulnerable to CVE-2023-29203?
CVE-2023-29203 impacts applications that use XWiki Commons libraries, which are common in various XWiki projects.
- collector/nvd-index
- vendor/xwiki
- product/xwiki
- canonical/xwiki xwiki