CVE-2023-34467
📋 TL;DR
This vulnerability in XWiki Platform allows attackers to retrieve email addresses of all users even when mail obfuscation is enabled. While emails appear obfuscated in the user interface, the underlying API responses contain unobfuscated data that can be filtered and sorted to infer email content. This affects XWiki installations with versions from 3.5-milestone-1 up to but excluding 14.4.8, 14.10.4, and 15.0-rc-1.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Complete exposure of all user email addresses leading to targeted phishing campaigns, spam attacks, and privacy violations against all registered users.
Likely Case
Unauthorized users harvesting email addresses for spam lists or targeted attacks against specific users.
If Mitigated
Limited exposure if email addresses are already public or if user base is small, but still violates privacy expectations.
🎯 Exploit Status
Exploitation requires only web access to the XWiki instance and basic understanding of API calls. No authentication needed as the vulnerability affects public API responses.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.4.8, 14.10.4, or 15.0-rc-1
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7vr7-cghh-ch63
Restart Required: Yes
Instructions:
1. Backup your XWiki instance. 2. Upgrade to XWiki 14.4.8, 14.10.4, or 15.0-rc-1. 3. Restart the XWiki application server. 4. Verify the fix by checking that email addresses are properly obfuscated in API responses.
🔧 Temporary Workarounds
Disable User Email Display
allTemporarily disable display of user email addresses throughout the wiki
Edit XWiki configuration to remove email display from user profiles and listings
API Access Restriction
allRestrict access to the vulnerable API endpoints
Configure web server or application firewall to block access to /rest/wikis/*/users endpoint
🧯 If You Can't Patch
- Implement network-level restrictions to limit access to the XWiki instance to trusted users only
- Monitor API access logs for unusual patterns of user data requests
🔍 How to Verify
Check if Vulnerable:
Access the REST API endpoint /rest/wikis/{wiki}/users and check if email addresses are visible in the response despite UI obfuscationCheck Version:
Check XWiki version in Administration → About section or via /xwiki/bin/view/Main/AboutVerify Fix Applied:
After patching, verify that email addresses in REST API responses are properly obfuscated and match what's displayed in the UI📡 Detection & Monitoring
Log Indicators:
- Multiple requests to user REST API endpoints
- Patterns of filtering/sorting requests on user data
Network Indicators:
- Unusual volume of requests to /rest/wikis/*/users endpoint
- API calls with filter parameters targeting email fields
SIEM Query:
source="xwiki" AND (uri_path="/rest/wikis/*/users" OR uri_path LIKE "/rest/wikis/%/users") AND status=200🔗 References
- https://github.com/xwiki/xwiki-platform/commit/71f889db9962df2d385f4298e29cfbc9050b828a#diff-5a739e5865b1f1ad9d79b724791be51b0095a0170cc078911c940478b13b949a
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7vr7-cghh-ch63
- https://jira.xwiki.org/browse/XWIKI-20333
- https://github.com/xwiki/xwiki-platform/commit/71f889db9962df2d385f4298e29cfbc9050b828a#diff-5a739e5865b1f1ad9d79b724791be51b0095a0170cc078911c940478b13b949a
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7vr7-cghh-ch63
- https://jira.xwiki.org/browse/XWIKI-20333
