7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-34467

GHSA ID

GHSA-7vr7-cghh-ch63

EPSS Score

0.78306%

CWE

CWE-402

Published

6/20/2023

Updated

11/12/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-34467

CVE-2023-34467: XWiki Platform may retrieve email addresses of all users

Impact

The mail obfuscation configuration was not fully taken into account and while the mail displayed to the end user was obfuscated:

the rest response was also containing the mail unobfuscated
user were able to filter and sort on the unobfuscated (allowing to infer the mail content)

The consequence was the possibility to retrieve the email addresses of all users even when obfuscated.

See https://jira.xwiki.org/browse/XWIKI-20333 for the reproduction steps.

Patches

This has been patched in XWiki 14.10.4, XWiki 14.4.8, and XWiki 15.0-rc-1.

Workarounds

The workaround is to modify the page XWiki.LiveTableResultsMacros following this patch.

References

https://jira.xwiki.org/browse/XWIKI-20333

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

Attribution

This vulnerability has been reported on Intigriti by @floerer

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-34467

CVE-2023-34467:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-34467

GHSA ID

GHSA-7vr7-cghh-ch63

EPSS Score

0.78306%

CWE

CWE-402

Published

6/20/2023

Updated

11/12/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-livetable-ui	maven	>= 3.5-milestone-1, < 14.4.8	14.4.8
org.xwiki.platform:xwiki-platform-livetable-ui	maven	>= 14.5, < 14.10.4	14.10.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key issues in LiveTableResultsMacros.xml: 1) The column inclusion logic (around line 79) originally only excluded Password fields, leaving Email fields exposed in query results. 2) The field value rendering (around line 493) lacked email obfuscation checks. The patch adds checks for email type and obfuscation configuration in both locations, confirming these were the vulnerable code paths. The CWE-402/668 mapping aligns with resource exposure through improper query construction and response handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-34467: XWiki Platform may retrieve email addresses of all users

Impact

Patches

Workarounds

References

For more information

Attribution

CVE-2023-34467:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2023-34467: XWiki Platform may retrieve email addresses of all users

Impact

Patches

Workarounds

References

For more information

Attribution

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

7.5

7.5

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI