Exposure of Private Information ('Privacy Violation') in XWiki platform - CVE-2023-29203
Published: April 12, 2023 / Updated: May 5, 2026
Vulnerability identifier: #VU129995
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-29203
CWE-ID: CWE-359
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote attacker to disclose private personal information.
The vulnerability exists due to improper access control in uorgsuggest.vm when requesting users on a subwiki that allows only global users. A remote attacker can send a crafted request to disclose private personal information.
Only hidden users from the main wiki are affected, and the disclosed information is limited to usernames and first and last names.
Remediation
Install security update from vendor's website.