CVE-2023-34465
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-34465
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-34465.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-34465
- Aliases
- Published
- 2023-06-23T15:07:59.732Z
- Modified
- 2025-12-02T23:58:06.726232Z
- Severity
-
- 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- XWiki Platform's Mail.MailConfig can be edited by any user with edit rights
- Details
-
XWiki Platform is a generic wiki platform. Starting in version 11.8-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.2,
Mail.MailConfigcan be edited by any logged-in user by default. Consequently, they can change the mail obfuscation configuration and view and edit the mail sending configuration, including the smtp domain name and credentials. The problem has been patched in XWiki 14.4.8, 14.10.6, and 15.1. As a workaround, the rights of theMail.MailConfigpage can be manually updated so that only a set of trusted users can view, edit and delete it (e.g., theXWiki.XWikiAdminGroupgroup). - Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-269" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/34xxx/CVE-2023-34465.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/34xxx/CVE-2023-34465.json
- https://github.com/xwiki/xwiki-platform/commit/8910b8857d3442d2e8142f655fdc0512930354d1
- https://github.com/xwiki/xwiki-platform/commit/d28d7739089e1ae8961257d9da7135d1a01cb7d4
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g75c-cjr6-39mc
- https://jira.xwiki.org/browse/XWIKI-20519
- https://jira.xwiki.org/browse/XWIKI-20671
- https://nvd.nist.gov/vuln/detail/CVE-2023-34465
Affected packages
Git / github.com/xwiki/xwiki-commons
Git / github.com/xwiki/xwiki-platform
Affected ranges
- Type
- GIT
- Repo
- https://github.com/xwiki/xwiki-platform
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
xwiki-application-calendar-1.*
xwiki-application-calendar-1.0
xwiki-platform-7.*
xwiki-platform-7.3-milestone-2
xwiki-platform-7.4-milestone-1
xwiki-platform-7.4-milestone-2
xwiki-platform-8.*
xwiki-platform-8.0-milestone-1
xwiki-platform-8.0-milestone-2
xwiki-platform-8.1-milestone-1
xwiki-platform-8.1-milestone-2
xwiki-platform-8.2-milestone-1
xwiki-platform-8.2-milestone-2
xwiki-platform-8.3-milestone-1
xwiki-platform-9.*
xwiki-platform-9.9-rc-2
xwiki-plugin-tag-1.*
xwiki-plugin-tag-1.1
Database specific
vanir_signatures
[
{
"target": {
"function": "updateDocument",
"file": "xwiki-platform-core/xwiki-platform-mail/xwiki-platform-mail-send/xwiki-platform-mail-send-default/src/test/java/org/xwiki/mail/internal/MailConfigMandatoryDocumentInitializerTest.java"
},
"digest": {
"function_hash": "173364625038017273390972508657668567891",
"length": 869.0
},
"deprecated": false,
"id": "CVE-2023-34465-05a3b2d8",
"source": "https://github.com/xwiki/xwiki-platform/commit/d28d7739089e1ae8961257d9da7135d1a01cb7d4",
"signature_type": "Function",
"signature_version": "v1"
},
{
"target": {
"function": "restrictToAdmin",
"file": "xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authorization/xwiki-platform-security-authorization-bridge/src/main/java/org/xwiki/security/internal/DocumentInitializerRightsManager.java"
},
"digest": {
"function_hash": "93451971384522130936823722338844709062",
"length": 245.0
},
"deprecated": false,
"id": "CVE-2023-34465-0b5fef5e",
"source": "https://github.com/xwiki/xwiki-platform/commit/8910b8857d3442d2e8142f655fdc0512930354d1",
"signature_type": "Function",
"signature_version": "v1"
},
{
"target": {
"function": "restrictToAdmin",
"file": "xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authorization/xwiki-platform-security-authorization-bridge/src/test/java/org/xwiki/security/internal/DocumentInitializerRightsManagerTest.java"
},
"digest": {
"function_hash": "153405914109497263771654871076915242391",
"length": 453.0
},
"deprecated": false,
"id": "CVE-2023-34465-284bcb0b",
"source": "https://github.com/xwiki/xwiki-platform/commit/8910b8857d3442d2e8142f655fdc0512930354d1",
"signature_type": "Function",
"signature_version": "v1"
},
{
"target": {
"function": "updateDocument",
"file": "xwiki-platform-core/xwiki-platform-mail/xwiki-platform-mail-send/xwiki-platform-mail-send-default/src/main/java/org/xwiki/mail/internal/MailConfigMandatoryDocumentInitializer.java"
},
"digest": {
"function_hash": "310236141561327891510840803957599046856",
"length": 418.0
},
"deprecated": false,
"id": "CVE-2023-34465-29845bed",
"source": "https://github.com/xwiki/xwiki-platform/commit/d28d7739089e1ae8961257d9da7135d1a01cb7d4",
"signature_type": "Function",
"signature_version": "v1"
},
{
"target": {
"file": "xwiki-platform-core/xwiki-platform-mail/xwiki-platform-mail-send/xwiki-platform-mail-send-default/src/test/java/org/xwiki/mail/internal/MailConfigMandatoryDocumentInitializerTest.java"
},
"digest": {
"line_hashes": [
"238611585619369198223195014396330268489",
"249831616704819389661435993096246804072",
"302801489775473038137104161868036645698",
"260869764692796577391103447954061440208",
"23630225419865141464528394775595498352",
"146074478148569300459889951441085792755",
"23080935388510115565212960290984675120",
"293790497848229423693504824372098401086",
"302853744962123618235869233332757155007",
"241621816753867071664067710193796030378",
"316643495151448516211544629199946447077",
"91606995772733768590591204912641346884",
"256837499979082445936729004883917012615",
"470758357094057299584907388150234561",
"263289264333090417219171941647256293011",
"253699554563980502278802792899499165474",
"327079163853487255037510295807338723159",
"195661555872969884043432150687575013297",
"131683015990487595403385952379356817303"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2023-34465-4034609b",
"source": "https://github.com/xwiki/xwiki-platform/commit/d28d7739089e1ae8961257d9da7135d1a01cb7d4",
"signature_type": "Line",
"signature_version": "v1"
},
{
"target": {
"file": "xwiki-platform-core/xwiki-platform-mail/xwiki-platform-mail-send/xwiki-platform-mail-send-default/src/main/java/org/xwiki/mail/internal/MailConfigMandatoryDocumentInitializer.java"
},
"digest": {
"line_hashes": [
"195039332183905077917504381963963383939",
"114890776437780539777564243349263821776",
"153821254860478850301927340550795362789",
"151915225425961398288959671441402443392",
"42574006591415830526712984088780752231",
"30883785283791495731271036069651208671",
"192800990950226212210694379033652562699",
"69922036597773573034269341448689007647",
"22469208139615187668994091726189474405",
"266086549347169265238040057194119056872"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2023-34465-68f82219",
"source": "https://github.com/xwiki/xwiki-platform/commit/d28d7739089e1ae8961257d9da7135d1a01cb7d4",
"signature_type": "Line",
"signature_version": "v1"
},
{
"target": {
"file": "xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authorization/xwiki-platform-security-authorization-bridge/src/test/java/org/xwiki/security/internal/DocumentInitializerRightsManagerTest.java"
},
"digest": {
"line_hashes": [
"185140603362596468441518062752969315857",
"241270078560628583598228311589606572383",
"183713283052923165803325999225277528936",
"295357110703490664560786147479138264133",
"137177347749347327782334901263238947790",
"116182324874630230869539335338073789862",
"191440954424910254012033442667297270781",
"101775752014346367719714456154039401494",
"47357403516173794348486546425829739538",
"264717531720413368403892809693594351506"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2023-34465-71073dff",
"source": "https://github.com/xwiki/xwiki-platform/commit/8910b8857d3442d2e8142f655fdc0512930354d1",
"signature_type": "Line",
"signature_version": "v1"
},
{
"target": {
"file": "xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authorization/xwiki-platform-security-authorization-bridge/src/main/java/org/xwiki/security/internal/DocumentInitializerRightsManager.java"
},
"digest": {
"line_hashes": [
"313000011655846955410817342850998721569",
"240233506638307711127645747023171700746",
"234578567184060738019238978681667128815",
"67462985994357894873469227405606002172",
"314751280306295819157137611422731491576",
"126692328717529809230104958422406257031",
"282488593824314410124840649830822305050",
"185958849366960652413703138055045199289",
"59616408641179715459337276780131500239",
"80009635419862263934400784761625506871",
"46191099233316442578237938421911367090",
"62258176763299806177110208654290787197",
"304946764817011716251182758763418552789",
"159706723676919981475150762110433605877",
"34738464989595075105228718999591110328",
"161713962614245870133076247079948471863",
"58066466645207936263920264407062816636",
"171135324452364214391493146138709958889",
"312310984745276927902270691303354476935",
"271187184980805113502759948515926569109",
"280477137632721237758066384534622404677",
"269658134451400991437150178480256861377",
"334727646633398176023938130437221197938",
"325528649855193310851669536550982026665",
"100751488022752793702980340494789328941",
"1209861868992380357671173954995133456",
"280625347391265750196416620407243980550",
"135795053984512102881476125549194333436",
"286206513202615692007174253590371937592",
"168384360159362926793445529631068646239",
"299875925422797081660958221557145856453",
"251168979143409094262237210228708392214"
],
"threshold": 0.9
},
"deprecated": false,
"id": "CVE-2023-34465-9af8432a",
"source": "https://github.com/xwiki/xwiki-platform/commit/8910b8857d3442d2e8142f655fdc0512930354d1",
"signature_type": "Line",
"signature_version": "v1"
},
{
"target": {
"function": "restrictToAdminSkipWhenAlreadyHasRights",
"file": "xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authorization/xwiki-platform-security-authorization-bridge/src/test/java/org/xwiki/security/internal/DocumentInitializerRightsManagerTest.java"
},
"digest": {
"function_hash": "101332285155372134457699555523703905006",
"length": 183.0
},
"deprecated": false,
"id": "CVE-2023-34465-a413a774",
"source": "https://github.com/xwiki/xwiki-platform/commit/8910b8857d3442d2e8142f655fdc0512930354d1",
"signature_type": "Function",
"signature_version": "v1"
},
{
"target": {
"function": "initializeRights",
"file": "xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authorization/xwiki-platform-security-authorization-bridge/src/main/java/org/xwiki/security/internal/DocumentInitializerRightsManager.java"
},
"digest": {
"function_hash": "53701085943456389539865806419941124650",
"length": 707.0
},
"deprecated": false,
"id": "CVE-2023-34465-ff49f4aa",
"source": "https://github.com/xwiki/xwiki-platform/commit/8910b8857d3442d2e8142f655fdc0512930354d1",
"signature_type": "Function",
"signature_version": "v1"
}
]