CVE-2023-35151: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform, was found to contain a security vulnerability (CVE-2023-35151) where any user could access obfuscated passwords through a REST endpoint, even when mail obfuscation was activated. The vulnerability affected versions from 7.3-milestone-1 up to versions prior to 14.4.8, 14.10.6, and 15.1 (NVD, GitHub Advisory).

The vulnerability was assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue was classified under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) and CWE-668 (Exposure of Resource to Wrong Sphere). The vulnerability allowed unauthorized access to sensitive information through REST endpoints, specifically exposing obfuscated passwords and email addresses (NVD).

The vulnerability exposed sensitive user information, particularly obfuscated passwords and email addresses, to unauthorized users. This exposure could potentially lead to offline password cracking attempts using methods such as rainbow tables, compromising user account security (Jira Issue).

The vulnerability has been patched in XWiki versions 14.4.8, 14.10.6, and 15.1. No workarounds were available for affected versions, and users were advised to upgrade to one of the patched versions (GitHub Advisory).