### Impact
The Solr-based search in XWiki discloses the email addresses of users even when obfuscation of email addresses is enabled. To demonstrate the vulnerability, search for `objcontent:email*` using XWiki's regular search interface.

### Patches
This has been fixed in XWiki 14.10.15, 15.5.2 and 15.7RC1 by not indexing email address properties when obfuscation is enabled. Further, changing the setting now triggers re-indexing of the affected wiki(s).

### Workarounds
We're not aware of any workarounds.

### References
* https://jira.xwiki.org/browse/XWIKI-20371
* https://github.com/xwiki/xwiki-platform/commit/3e5272f2ef0dff06a8f4db10afd1949b2f9e6eea

### Attribution
This vulnerability was reported on Intigriti by [ynoof](https://twitter.com/ynoofAssiri) @Ynoof5.

Affected Packages

Maven org.xwiki.platform:xwiki-platform-search-solr-api

Affected versions: 0 (fixed in 14.10.15)

Maven org.xwiki.platform:xwiki-platform-search-solr-api

Affected versions: 15.0-rc-1 (fixed in 15.5.2)

Maven org.xwiki.platform:xwiki-platform-search-solr-api

Affected versions: 15.6-rc-1 (fixed in 15.7-rc-1)

Related CVEs

CVE-2023-50720

Key Information

GHSA ID

GHSA-2grh-gr37-2283

Published

December 16, 2023 12:32 AM

Last Modified

December 16, 2023 12:32 AM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.xwiki.platform:xwiki-platform-search-solr-api

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 22, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.