Cyber Resilience

CVE-2023-29203

LowPublic PoC

Published: 15 April 2023

Published
15 April 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0010 28.0th percentile
Risk Priority 7 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-29203 is a low-severity Exposure of Private Personal Information to an Unauthorized Actor (CWE-359) vulnerability in Xwiki Xwiki. Its CVSS base score is 3.7 (Low).

Operationally, ranked at the 28.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

XWiki Commons are technical libraries common to several other top level XWiki projects. It's possible to list some users who are normally not viewable from subwiki by requesting users on a subwiki which allows only global users with `uorgsuggest.vm`. This…

more

issue only concerns hidden users from main wiki. Note that the disclosed information are the username and the first and last name of users, no other information is leaked. The problem has been patched on XWiki 13.10.8, 14.4.3 and 14.7RC1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
13.9 · 13.9 — 13.10.8 · 14.4.0 — 14.4.3 · 14.5 — 14.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-359 CWE-668

Preventing nonpublic personal information from public posting reduces unauthorized exposure of private personal data.

addresses: CWE-359 CWE-668

The control detects and protects against mining of private personal information, reducing unauthorized exposure of PII.

addresses: CWE-359 CWE-668

Tracking locations of sensitive data and access users reduces risk of private personal information exposure.

addresses: CWE-359 CWE-668

Mandatory user notification of sensor activation makes surreptitious capture of private personal information (camera, microphone, location, etc.) substantially harder to perform without detection.

addresses: CWE-359

Automated marking identifies private personal information in outputs, tangibly reducing the ability to exploit weaknesses that result in its unauthorized exposure.

addresses: CWE-359

Privacy-specific attributes and their controlled association directly reduce exposure of private personal information through missing or incorrect labeling.

addresses: CWE-668

Controls whether organization resources are exposed to external system spheres by permitting or prohibiting their use.

addresses: CWE-668

The control ensures information is not released into a security sphere where the recipient lacks matching access authorizations.

References