Common Weakness Enumeration

CWE-668

Discouraged

Exposure of Resource to Wrong Sphere

Abstraction: Class · Status: Draft

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

1251 vulnerabilities reference this CWE, most recent first.

GHSA-VM9V-45VG-Q73F

Vulnerability from github – Published: 2023-03-08 21:30 – Updated: 2025-03-04 21:30
VLAI
Details

There exists an information disclosure vulnerability in SmartBear Zephyr Enterprise through 7.15.0 that could be exploited by unauthenticated users to read arbitrary files from Zephyr instances.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-22892"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-03-08T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "There exists an information disclosure vulnerability in SmartBear Zephyr Enterprise through 7.15.0 that could be exploited by unauthenticated users to read arbitrary files from Zephyr instances.",
  "id": "GHSA-vm9v-45vg-q73f",
  "modified": "2025-03-04T21:30:52Z",
  "published": "2023-03-08T21:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22892"
    },
    {
      "type": "WEB",
      "url": "https://smartbear.com/security/cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VP8W-34R2-97R4

Vulnerability from github – Published: 2022-09-29 00:00 – Updated: 2022-09-29 00:00
VLAI
Details

IBM QRadar User Behavior Analytics could allow an authenticated user to obtain sensitive information from that they should not have access to. IBM X-Force ID: 232791.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-36771"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-28T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM QRadar User Behavior Analytics could allow an authenticated user to obtain sensitive information from that they should not have access to. IBM X-Force ID: 232791.",
  "id": "GHSA-vp8w-34r2-97r4",
  "modified": "2022-09-29T00:00:22Z",
  "published": "2022-09-29T00:00:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36771"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/232791"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6824197"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VP9J-RGHQ-8JHH

Vulnerability from github – Published: 2022-02-09 21:59 – Updated: 2024-11-18 16:26
VLAI
Summary
Exposure of Resource to Wrong Sphere and Insecure Temporary File in Ansible
Details

An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18, 2.8.12, and 2.9.9 as well as previous versions are affected and Ansible Tower 3.4.5, 3.5.6 and 3.6.4 as well as previous versions are affected.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.10.0a1"
            },
            {
              "fixed": "2.10.0rc1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.9.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-10744"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-377",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-05T13:49:09Z",
    "nvd_published_at": "2020-05-15T14:15:00Z",
    "severity": "LOW"
  },
  "details": "An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18, 2.8.12, and 2.9.9 as well as previous versions are affected and Ansible Tower 3.4.5, 3.5.6 and 3.6.4 as well as previous versions are affected.",
  "id": "GHSA-vp9j-rghq-8jhh",
  "modified": "2024-11-18T16:26:11Z",
  "published": "2022-02-09T21:59:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-10744"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/issues/69782"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/77d0effcc5b2da1ef23e4ba32986a9759c27c10d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/84afa8e90cd168ff13208c8eae3e533ce7e21e1f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ansible/ansible/commit/ffd3757fc35468a97791e452e7f2d14c3e3fcb80"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10744"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-vp9j-rghq-8jhh"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ansible/ansible"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-208.yaml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Exposure of Resource to Wrong Sphere and Insecure Temporary File in Ansible"
}

GHSA-VPW5-GRXX-V396

Vulnerability from github – Published: 2021-09-02 17:16 – Updated: 2022-07-13 18:55
VLAI
Summary
CSRF token exposure in TYPO3 extension
Details

When using the CsrfTokenViewHelper the extension discloses the user's session identifier to HTML output without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance Cross Site Scripting in the frontend output.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "lms/routes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-36793"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-30T17:23:15Z",
    "nvd_published_at": "2021-08-13T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "When using the CsrfTokenViewHelper the extension discloses the user\u0027s session identifier to HTML output without processing of additional cryptographic hashing algorithms. This vulnerability cannot be exploited directly and occurs in combination with a chained attack - like for instance Cross Site Scripting  in the frontend output.",
  "id": "GHSA-vpw5-grxx-v396",
  "modified": "2022-07-13T18:55:15Z",
  "published": "2021-09-02T17:16:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36793"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Lacr1ma/routes"
    },
    {
      "type": "WEB",
      "url": "https://typo3.org/security/advisory/typo3-ext-sa-2021-008"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N/E:F/RL:O/RC:C",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CSRF token exposure in TYPO3 extension"
}

GHSA-VQ22-4G75-MF6J

Vulnerability from github – Published: 2021-12-27 00:01 – Updated: 2023-08-08 15:31
VLAI
Details

Certain NETGEAR devices are affected by an attacker's ability to read arbitrary files. This affects RBK352 before 4.4.0.10, RBR350 before 4.4.0.10, and RBS350 before 4.4.0.10.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-45494"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-12-26T01:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Certain NETGEAR devices are affected by an attacker\u0027s ability to read arbitrary files. This affects RBK352 before 4.4.0.10, RBR350 before 4.4.0.10, and RBS350 before 4.4.0.10.",
  "id": "GHSA-vq22-4g75-mf6j",
  "modified": "2023-08-08T15:31:27Z",
  "published": "2021-12-27T00:01:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-45494"
    },
    {
      "type": "WEB",
      "url": "https://kb.netgear.com/000064160/Security-Advisory-for-Arbitrary-File-Read-on-Some-WiFi-Systems-PSV-2021-0044"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VQ4R-F49J-6CH9

Vulnerability from github – Published: 2022-12-08 18:30 – Updated: 2022-12-12 18:30
VLAI
Details

Teleport v3.2.2, Teleport v3.5.6-rc6, and Teleport v3.6.3-b2 was discovered to contain an information leak via the /user/get-role-list web interface.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-38599"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-08T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Teleport v3.2.2, Teleport v3.5.6-rc6, and Teleport v3.6.3-b2 was discovered to contain an information leak via the /user/get-role-list web interface.",
  "id": "GHSA-vq4r-f49j-6ch9",
  "modified": "2022-12-12T18:30:29Z",
  "published": "2022-12-08T18:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38599"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/arleyna/20d858e11c48984d00926fa8cc0c2722"
    },
    {
      "type": "WEB",
      "url": "http://teleport.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VQ4R-MMWV-GR7W

Vulnerability from github – Published: 2022-09-02 00:01 – Updated: 2022-09-08 00:00
VLAI
Details

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a local attacker to obtain information due to the autocomplete feature on password input fields. IBM X-Force ID: 214345.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-39045"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-01T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could allow a local attacker to obtain information due to the autocomplete feature on password input fields. IBM X-Force ID: 214345.",
  "id": "GHSA-vq4r-mmwv-gr7w",
  "modified": "2022-09-08T00:00:33Z",
  "published": "2022-09-02T00:01:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-39045"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/214345"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20221014-0005"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/6615285"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VQJ2-4V8M-8VRQ

Vulnerability from github – Published: 2022-02-24 00:00 – Updated: 2024-09-30 20:52
VLAI
Summary
Insecure Temporary File in mlflow
Details

mlflow prior to 1.23.1 contains an insecure temporary file. The insecure function tempfile.mktemp() is deprecated and mkstemp() should be used instead.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mlflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.23.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-0736"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-377",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-24T21:42:26Z",
    "nvd_published_at": "2022-02-23T09:15:00Z",
    "severity": "HIGH"
  },
  "details": "mlflow prior to 1.23.1 contains an insecure temporary file. The insecure function `tempfile.mktemp()` is deprecated and `mkstemp()` should be used instead.",
  "id": "GHSA-vqj2-4v8m-8vrq",
  "modified": "2024-09-30T20:52:09Z",
  "published": "2022-02-24T00:00:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0736"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mlflow/mlflow/commit/61984e6843d2e59235d82a580c529920cd8f3711"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-vqj2-4v8m-8vrq"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mlflow/mlflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2022-28.yaml"
    },
    {
      "type": "WEB",
      "url": "https://huntr.dev/bounties/e5384764-c583-4dec-a1d8-4697f4e12f75"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Insecure Temporary File in mlflow"
}

GHSA-VRQ4-9HC3-CGP7

Vulnerability from github – Published: 2025-04-12 03:42 – Updated: 2025-04-15 12:49
VLAI
Summary
TigerVNC accessible via the network and not just via a UNIX socket as intended
Details

Summary

jupyter-remote-desktop-proxy was meant to rely on UNIX sockets readable only by the current user since version 3.0.0, but when used with TigerVNC, the VNC server started by jupyter-remote-desktop-proxy were still accessible via the network.

This vulnerability does not affect users having TurboVNC as the vncserver executable.

Credits

This vulnerability was identified by Arne Gottwald at University of Göttingen and analyzed, reported, and reviewed by @frejanordsiek.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "jupyter-remote-desktop-proxy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "3.0.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2025-32428"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-12T03:42:31Z",
    "nvd_published_at": "2025-04-15T00:15:14Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\n`jupyter-remote-desktop-proxy` was meant to rely on UNIX sockets readable only by the current user since version 3.0.0, but when used with TigerVNC, the VNC server started by `jupyter-remote-desktop-proxy` were still accessible via the network.\n\nThis vulnerability does not affect users having TurboVNC as the `vncserver` executable.\n\n## Credits\n\nThis vulnerability was identified by Arne Gottwald at University of G\u00f6ttingen and analyzed, reported, and reviewed by @frejanordsiek.",
  "id": "GHSA-vrq4-9hc3-cgp7",
  "modified": "2025-04-15T12:49:04Z",
  "published": "2025-04-12T03:42:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jupyterhub/jupyter-remote-desktop-proxy/security/advisories/GHSA-vrq4-9hc3-cgp7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32428"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jupyterhub/jupyter-remote-desktop-proxy/commit/7dd54c25a4253badd8ea68895437e5a66a59090d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jupyterhub/jupyter-remote-desktop-proxy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "TigerVNC accessible via the network and not just via a UNIX socket as intended"
}

GHSA-VVP7-R422-RX83

Vulnerability from github – Published: 2023-04-12 20:40 – Updated: 2023-04-16 07:18
VLAI
Summary
Unauthenticated user can have information about hidden users on subwikis through uorgsuggest.vm
Details

Impact

It's possible to list some users who are normally not viewable from subwiki by requesting users on a subwiki which allows only global users with uorgsuggest.vm. This issue only concerns hidden users from main wiki. Note that the disclosed information are the username and the first and last name of users, no other information is leaked.

Patches

The problem has been patched on XWiki 13.10.8, 14.4.3 and 14.7RC1.

Workarounds

It's possible to workaround this vulnerability by patching directly uorgsuggest.vm to apply the same changes as in https://github.com/xwiki/xwiki-platform/pull/1883.

References

  • JIRA ticket: https://jira.xwiki.org/browse/XWIKI-20007
  • this vulnerability is actually a remaining of https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-97jg-43c9-q6pf which wasn't entirely fixed back then

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira * Email us at security ML

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-web-templates"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.9-rc-1"
            },
            {
              "fixed": "13.10.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-web-templates"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0-rc-1"
            },
            {
              "fixed": "14.4.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-web-templates"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.5"
            },
            {
              "fixed": "14.7-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-29203"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-359",
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-12T20:40:00Z",
    "nvd_published_at": "2023-04-15T16:15:00Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nIt\u0027s possible to list some users who are normally not viewable from subwiki by requesting users on a subwiki which allows only global users with `uorgsuggest.vm`. This issue only concerns hidden users from main wiki.\nNote that the disclosed information are the username and the first and last name of users, no other information is leaked. \n\n### Patches\n\nThe problem has been patched on XWiki 13.10.8, 14.4.3 and 14.7RC1.\n\n### Workarounds\n\nIt\u0027s possible to workaround this vulnerability by patching directly `uorgsuggest.vm ` to apply the same changes as in https://github.com/xwiki/xwiki-platform/pull/1883.\n\n### References\n\n  * JIRA ticket: https://jira.xwiki.org/browse/XWIKI-20007\n  * this vulnerability is actually a remaining of https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-97jg-43c9-q6pf which wasn\u0027t entirely fixed back then\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira](https://jira.xwiki.org)\n* Email us at [security ML](mailto:security@xwiki.org)\n",
  "id": "GHSA-vvp7-r422-rx83",
  "modified": "2023-04-16T07:18:33Z",
  "published": "2023-04-12T20:40:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-97jg-43c9-q6pf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vvp7-r422-rx83"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29203"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/pull/1883"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-20007"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Unauthenticated user can have information about hidden users on subwikis through uorgsuggest.vm "
}

No mitigation information available for this CWE.

No CAPEC attack patterns related to this CWE.