7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-34467

GHSA ID

GHSA-7vr7-cghh-ch63

EPSS Score

0.78306%

CWE

CWE-402

Published

6/20/2023

Updated

11/12/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-34467

CVE-2023-34467: XWiki Platform may retrieve email addresses of all users

Impact

The mail obfuscation configuration was not fully taken into account and while the mail displayed to the end user was obfuscated:

the rest response was also containing the mail unobfuscated
user were able to filter and sort on the unobfuscated (allowing to infer the mail content)

The consequence was the possibility to retrieve the email addresses of all users even when obfuscated.

See https://jira.xwiki.org/browse/XWIKI-20333 for the reproduction steps.

Patches

This has been patched in XWiki 14.10.4, XWiki 14.4.8, and XWiki 15.0-rc-1.

Workarounds

The workaround is to modify the page XWiki.LiveTableResultsMacros following this patch.

References

https://jira.xwiki.org/browse/XWIKI-20333

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

Attribution

This vulnerability has been reported on Intigriti by @floerer

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-34467

GHSA ID

GHSA-7vr7-cghh-ch63

EPSS Score

0.78306%

CWE

CWE-402

Published

6/20/2023

Updated

11/12/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-livetable-ui	maven	>= 3.5-milestone-1, < 14.4.8	14.4.8
org.xwiki.platform:xwiki-platform-livetable-ui	maven	>= 14.5, < 14.10.4	14.10.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key issues in LiveTableResultsMacros.xml: 1) The column inclusion logic (around line 79) originally only excluded Password fields, leaving Email fields exposed in query results. 2) The field value rendering (around line 493) lacked email obfuscation checks. The patch adds checks for email type and obfuscation configuration in both locations, confirming these were the vulnerable code paths. The CWE-402/668 mapping aligns with resource exposure through improper query construction and response handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** m*il o**us**tion *on*i*ur*tion w*s not *ully t*k*n into ***ount *n* w*il* t** m*il *ispl*y** to t** *n* us*r w*s o**us**t**: - t** r*st r*spons* w*s *lso *ont*inin* t** m*il uno**us**t** - us*r w*r* **l* to *ilt*r *n* sort on t** uno**

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s in `Liv*T**l*R*sultsM**ros.xml`: *) T** *olumn in*lusion lo*i* (*roun* lin* **) ori*in*lly only *x*lu*** P*sswor* *i*l*s, l**vin* *m*il *i*l*s *xpos** in qu*ry r*sults. *) T** *i*l* v*lu* r*n**rin* (*roun*

7.5

Basic Information

Concerned about an active attack path?

CVE-2023-34467: XWiki Platform may retrieve email addresses of all users

Impact

Patches

Workarounds

References

For more information

Attribution

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI