Main Vulnerability Database Vulnerabilities #VU129939

Exposure of Private Information ('Privacy Violation') in XWiki platform - CVE-2023-35151

Published: June 20, 2023 / Updated: May 5, 2026

Vulnerability identifier: #VU129939

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-35151

CWE-ID: CWE-359

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: XWiki

Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of private personal information in the REST endpoint for XWiki user objects when handling requests for user object results. A remote attacker can send a request to the REST API to disclose sensitive information.

Email addresses are returned in clear text even when mail obfuscation is enabled.

How to mitigate CVE-2023-35151

Install security update from vendor's website.

Exposure of Private Information ('Privacy Violation') in XWiki platform - CVE-2023-35151

Detailed vulnerability description

How to mitigate CVE-2023-35151

Sources

Please verify you're human