CVE-2023-37911
CVSS 3.1 Score 6.5 of 10 (medium)
Details
Summary
CVE-2023-37911 is a vulnerability affecting the XWiki Platform, a wiki solution used for building applications. In versions 9.4-rc-1 and earlier, up to 14.10.7 and 15.3-rc-1, deleted documents that have been re-created can be accessed by users with view rights on the new document but not on the old one. This issue arises when rights were added to the deleted document, and can be exploited using the diff feature and, partially, the REST API. Attackers can also re-create deleted documents if they have edit rights in the document's location, posing a risk for any deleted document within the system's scope. This vulnerability was patched in XWiki 14.10.8 and 15.3 RC1 by implementing proper rights checking when accessing deleted revisions. A workaround involves regular deletion of unnecessary documents to minimize potential exposure. Special caution is advised when deleting sensitive documents or protected spaces.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- Xwiki
Affected Vendors
- xwiki