Main Vulnerability Database Vulnerabilities #VU129947

Insufficiently protected credentials in XWiki platform - CVE-2023-34465

Published: June 20, 2023 / Updated: May 5, 2026

Vulnerability identifier: #VU129947

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-34465

CWE-ID: CWE-522

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
XWiki platform

Software vendor:
XWiki

Description

The vulnerability allows a remote user to disclose sensitive information and modify mail configuration.

The vulnerability exists due to improper access control in Mail.MailConfig when handling edit requests. A remote user can edit the page to view and modify the mail sending configuration, including the SMTP domain name and credentials, to disclose sensitive information and modify mail configuration.

By default, any logged-in user with edit rights can exploit this issue.

Remediation

Install security update from vendor's website.

Insufficiently protected credentials in XWiki platform - CVE-2023-34465

Description

Remediation

External links

Please verify you're human