WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2023-34465 Vulnerability in maven package org.xwiki.platform:xwiki-platform-security-authorization-bridge

Description

XWiki Platform is a generic wiki platform. Starting in version 11.8-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.2, `Mail.MailConfig` can be edited by any logged-in user by default. Consequently, they can change the mail obfuscation configuration and view and edit the mail sending configuration, including the smtp domain name and credentials. The problem has been patched in XWiki 14.4.8, 14.10.6, and 15.1. As a workaround, the rights of the `Mail.MailConfig` page can be manually updated so that only a set of trusted users can view, edit and delete it (e.g., the `XWiki.XWikiAdminGroup` group).

Remediation

References

https://jira.xwiki.org/browse/XWIKI-20519

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g75c-cjr6-39mc

https://github.com/xwiki/xwiki-platform/commit/8910b8857d3442d2e8142f655fdc0512930354d1

https://github.com/xwiki/xwiki-platform/commit/d28d7739089e1ae8961257d9da7135d1a01cb7d4

https://jira.xwiki.org/browse/XWIKI-20671

Related Vulnerabilities

CVE-2020-16022 Vulnerability in npm package electron

CVE-2017-16114 Vulnerability in maven package org.webjars.npm:marked

CVE-2021-39177 Vulnerability in maven package org.geysermc:connector

CVE-2021-37136 Vulnerability in maven package io.netty:netty-codec

CVE-2022-24999 Vulnerability in maven package org.webjars:qs

Severity

Critical

Classification

CWE-269 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Tags

Issue Tracking Patch Vendor Advisory Exploit