Improper Authorization in XWiki platform - CVE-2023-48241
Published: November 20, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU129912
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-48241
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper authorization in the Solr suggest service when handling search requests that explicitly request fields from Solr without the data needed for the rights check. A remote attacker can send a specially crafted request to disclose sensitive information.
By default, access to this service is public, and the issue can expose the content of documents across all wikis, excluding some protected information such as password hashes.
Remediation
Install security update from vendor's website.