Exposure of Private Information ('Privacy Violation') in XWiki platform - CVE-2023-29203

 

Exposure of Private Information ('Privacy Violation') in XWiki platform - CVE-2023-29203

Published: April 12, 2023 / Updated: May 5, 2026


Vulnerability identifier: #VU129995
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-29203
CWE-ID: CWE-359
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose private personal information.

The vulnerability exists due to improper access control in uorgsuggest.vm when requesting users on a subwiki that allows only global users. A remote attacker can send a crafted request to disclose private personal information.

Only hidden users from the main wiki are affected, and the disclosed information is limited to usernames and first and last names.


How to mitigate CVE-2023-29203

Install security update from vendor's website.

Sources