CVE-2023-50720

Description

### Impact The Solr-based search in XWiki discloses the email addresses of users even when obfuscation of email addresses is enabled. To demonstrate the vulnerability, search for `objcontent:email*` using XWiki's regular search interface. ### Patches This has been fixed in XWiki 14.10.15, 15.5.2 and 15.7RC1 by not indexing email address properties when obfuscation is enabled. Further, changing the setting now triggers re-indexing of the affected wiki(s). ### Workarounds We're not aware of any workarounds. ### References * https://jira.xwiki.org/browse/XWIKI-20371 * https://github.com/xwiki/xwiki-platform/commit/3e5272f2ef0dff06a8f4db10afd1949b2f9e6eea ### Attribution This vulnerability was reported on Intigriti by [ynoof](https://twitter.com/ynoofAssiri) @Ynoof5.

How to fix CVE-2023-50720

To remediate CVE-2023-50720, upgrade the affected package to a fixed version below.

• —upgrade to 14.10.15 or later

Is CVE-2023-50720 being exploited?

Moderate — EPSS is 43.2%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

• from 0, < 14.10.15

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-50720
• PATCHgithub.com/xwiki/xwiki-platform
• WEBgithub.com/xwiki/xwiki-platform/commit/3e5272f2ef0dff06a8f4db10afd1949b2f9e6eea
• WEBgithub.com/xwiki/xwiki-platform/security/advisories/GHSA-2grh-gr37-2283