Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/45442?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/45442?format=api", "vulnerability_id": "VCID-dxfr-k1tg-83fj", "summary": "Exposure of Resource to Wrong Sphere\nXWiki Platform is a generic wiki platform. Starting in version 7.3-milestone-1 and prior to versions 14.4.8, 14.10.6, and 15.1, ny user can call a REST endpoint and obtain the obfuscated passwords, even when the mail obfuscation is activated. The issue has been patched in XWiki 14.4.8, 14.10.6, and 15.1. There is no known workaround.", "aliases": [ { "alias": "CVE-2023-35151" }, { "alias": "GHSA-8g9c-c9cm-9c56" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/65610?format=api", "purl": "pkg:maven/org.xwiki.platform/xwiki-platform-rest-server@14.4.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-rest-server@14.4.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/65611?format=api", "purl": "pkg:maven/org.xwiki.platform/xwiki-platform-rest-server@14.10.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-rest-server@14.10.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/65612?format=api", "purl": "pkg:maven/org.xwiki.platform/xwiki-platform-rest-server@15.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-rest-server@15.1" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/65607?format=api", "purl": "pkg:maven/org.xwiki.platform/xwiki-platform-rest-server@7.3-milestone-1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dxfr-k1tg-83fj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-rest-server@7.3-milestone-1" }, { "url": "http://public2.vulnerablecode.io/api/packages/65608?format=api", "purl": "pkg:maven/org.xwiki.platform/xwiki-platform-rest-server@14.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dxfr-k1tg-83fj" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-rest-server@14.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/65609?format=api", "purl": "pkg:maven/org.xwiki.platform/xwiki-platform-rest-server@15.0-rc-1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7jsf-8yfm-x7cx" }, { "vulnerability": "VCID-dxfr-k1tg-83fj" }, { "vulnerability": "VCID-xpdz-mg49-efca" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-rest-server@15.0-rc-1" } ], "references": [ { "reference_url": "https://github.com/xwiki/xwiki-platform", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/xwiki/xwiki-platform" }, { "reference_url": "https://github.com/xwiki/xwiki-platform/commit/824cd742ecf5439971247da11bfe7e0ad2b10ede", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/xwiki/xwiki-platform/commit/824cd742ecf5439971247da11bfe7e0ad2b10ede" }, { "reference_url": "https://jira.xwiki.org/browse/XWIKI-16138", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://jira.xwiki.org/browse/XWIKI-16138" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35151", "reference_id": "CVE-2023-35151", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35151" }, { "reference_url": "https://github.com/advisories/GHSA-8g9c-c9cm-9c56", "reference_id": "GHSA-8g9c-c9cm-9c56", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-8g9c-c9cm-9c56" }, { "reference_url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8g9c-c9cm-9c56", "reference_id": "GHSA-8g9c-c9cm-9c56", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8g9c-c9cm-9c56" } ], "weaknesses": [ { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." }, { "cwe_id": 668, "name": "Exposure of Resource to Wrong Sphere", "description": "The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 359, "name": "Exposure of Private Personal Information to an Unauthorized Actor", "description": "The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected." } ], "exploits": [], "severity_range_score": "7.0 - 8.9", "exploitability": "0.5", "weighted_severity": "8.0", "risk_score": 4.0, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dxfr-k1tg-83fj" }