CVE-2023-34466: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform offering runtime services for applications, was found to contain a security vulnerability (CVE-2023-34466) that affects versions from 5.0-milestone-1 up to versions prior to 14.4.8, 14.10.4, and 15.0-rc-1. The vulnerability allows tags from pages not viewable to the current user to be leaked by the tags API, potentially exposing sensitive information (GitHub Advisory, XWiki Jira).

The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) with a CVSS v3.1 base score of 4.3 (MEDIUM). The attack vector is Network-based (AV:N), with Low attack complexity (AC:L), requiring Low privileges (PR:L), and No user interaction (UI:N). The scope is Unchanged (S:U), with Low impact on confidentiality (C:L) and No impact on integrity (I:N) or availability (A:N) (GitHub Advisory).

The vulnerability allows unauthorized users to access tags from pages they shouldn't have access to, even when explicit view restrictions are in place. This information disclosure can be exploited to infer the document references of non-viewable pages, potentially revealing sensitive information about the structure and content organization of restricted areas (GitHub Advisory, XWiki Jira).

The vulnerability has been patched in XWiki versions 14.4.8, 14.10.4, and 15.0-rc-1. There are no known workarounds apart from upgrading to a fixed version (GitHub Advisory).