CVE-2023-50720: 
Java vulnerability analysis and mitigation

The Solr-based search in XWiki Platform versions prior to 14.10.15, 15.5.2, and 15.7-rc-1 contains a vulnerability that discloses email addresses of users even when email address obfuscation is enabled. The vulnerability was discovered in November 2022 and was fixed in August 2023. The issue has been assigned CVE-2023-50720 with a CVSS v3.1 base score of 5.3 (Medium) (GitHub Advisory, NVD).

The vulnerability allows an unauthenticated attacker to view email addresses of any user by using the Solr search functionality. Specifically, by searching for 'objcontent:email*' using XWiki's regular search interface, an attacker could access email addresses that should have been obfuscated. The issue has been classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) with CVSS metrics indicating network vector access, low attack complexity, no privileges required, and no user interaction needed (GitHub Advisory).

The vulnerability leads to unauthorized disclosure of user email addresses, which are considered sensitive personal information. This exposure occurs even when the system is configured to obfuscate email addresses, effectively bypassing privacy protections (Jira Issue).

The vulnerability has been fixed in XWiki versions 14.10.15, 15.5.2, and 15.7RC1. The fix prevents indexing of email address properties when obfuscation is enabled and implements re-indexing of affected wikis when the setting is changed. No workarounds are available for unpatched systems (GitHub Advisory).