Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-8g9c-c9cm-9c56

GitHub Security Advisory

XWiki Platform may show email addresses in clear in REST results

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Impact
Any user can call a REST endpoint and obtain the obfuscated passwords (even when the mail obfuscation is activated).

For instance, by calling http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/XWiki/pages/U1/objects/XWiki.XWikiUsers/0 when user `U1` exists on wiki `xwiki`.

### Patches
The issue has been patched on XWiki 14.4.8, 14.10.6, and 15.1

### Workarounds
There is no known workaround. It is advised to upgrade to one of the patched versions.

### References
- https://jira.xwiki.org/browse/XWIKI-16138
- https://github.com/xwiki/xwiki-platform/commit/824cd742ecf5439971247da11bfe7e0ad2b10ede

### For more information

If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)
* Email us at [Security Mailing List](mailto:[email protected])

Affected Packages

Maven org.xwiki.platform:xwiki-platform-rest-server
Affected versions: 7.3-milestone-1 (fixed in 14.4.8)
Maven org.xwiki.platform:xwiki-platform-rest-server
Affected versions: 14.5 (fixed in 14.10.6)
Maven org.xwiki.platform:xwiki-platform-rest-server
Affected versions: 15.0-rc-1 (fixed in 15.1)

Related CVEs

CVE-2023-35151

Key Information

GHSA ID
GHSA-8g9c-c9cm-9c56
Published
June 20, 2023 4:46 PM
Last Modified
June 20, 2023 4:46 PM
CVSS Score
7.5 /10
Primary Ecosystem
Maven
Primary Package
org.xwiki.platform:xwiki-platform-rest-server
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 29, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.