Transmission of Private Resources into a New Sphere ('Resource Leak') in XWiki platform - CVE-2023-34467
Published: June 20, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU129955
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-34467
CWE-ID: CWE-402
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to transmission of private resources into a new sphere in the live table REST response when handling user listing requests. A remote attacker can send a request to retrieve unobfuscated email addresses to disclose sensitive information.
The issue also allows filtering and sorting on unobfuscated email values, which can be used to infer email content even when displayed addresses are obfuscated.
Remediation
Install security update from vendor's website.