CVE-2023-38509: Obfuscated email addresses should not be sorted

July 27, 2023

Impact

The mail obfuscation configuration was not fully taken into account and is was still possible by obfuscated emails.

See https://jira.xwiki.org/browse/XWIKI-20601 for the reproduction steps.

Patches

This has been patched in XWiki 14.10.9, and XWiki 15.3-rc-1.

Workarounds

The workaround is to modify the page XWiki.LiveTableResultsMacros following this patch.

References

https://jira.xwiki.org/browse/XWIKI-20601
https://github.com/xwiki/xwiki-platform/commit/1dfb6804d4d412794cbe0098d4972b8ac263df0c

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

References

github.com/advisories/GHSA-g9w4-prf3-m25g
github.com/xwiki/xwiki-platform/commit/1dfb6804d4d412794cbe0098d4972b8ac263df0c
github.com/xwiki/xwiki-platform/security/advisories/GHSA-g9w4-prf3-m25g
jira.xwiki.org/browse/XWIKI-20601

Detect and mitigate CVE-2023-38509 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →