cve,link,title,description,vendor,products,score,severity,epss,cisa,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score CVE-2023-49280,https://securityvulnerability.io/vulnerability/CVE-2023-49280,Data leak of password hash through xwiki change request,"The XWiki Change Request application exposes a vulnerability that allows unauthorized users to edit pages and download sensitive XML files containing password hashes. By default, the Change Request feature permits users to edit any page, enabling a potential attacker to manipulate user profiles. After making unauthorized edits, attackers can download an XML file that may contain sensitive information, including password hashes, for any document a user is permitted to view. This vulnerability affects all versions of the Change Request application, necessitating immediate action from administrators to restrict editing rights for any pages containing password fields. The recently provided patch in Change Request 1.10 can help mitigate the risk, but administrators must also manually address existing change requests. A workaround exists by manually revoking Change Request rights in certain spaces, particularly in user profile areas.",XWiki,Application-changerequest,7.7,HIGH,0.0012100000167265534,false,false,false,false,,false,false,2023-12-04T23:15:00.000Z,0 CVE-2023-45138,https://securityvulnerability.io/vulnerability/CVE-2023-45138,Change Request Application vulnerable to XSS and remote code execution through change request title,"The Change Request application by XWiki allows users to request edits without immediate publication. In versions from 0.11 to prior to 1.9.2, a significant vulnerability allows unauthorized users to perform script injection and remote code execution by manipulating titles of new Change Requests. This exploitation is feasible due to the design of the application, which permits users without specific permissions to create Change Requests. Users are encouraged to upgrade to version 1.9.2 or apply workarounds by editing the ChangeRequest.Code.ChangeRequestSheet to mitigate the risk.",XWiki,Application-changerequest,10,CRITICAL,0.0040699997916817665,false,false,false,false,,false,false,2023-10-12T17:15:00.000Z,0