VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-tue2-pwje-qqfz

Essentials
Severities (36)
References (10)
Severity details (24)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-tue2-pwje-qqfz
Aliases	CVE-2023-37911 GHSA-gh64-qxh5-4m33
Summary	org.xwiki.platform:xwiki-platform-oldcore may leak data through deleted and re-created documents XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 9.4-rc-1 and prior to versions 14.10.8 and 15.3-rc-1, when a document has been deleted and re-created, it is possible for users with view right on the re-created document but not on the deleted document to view the contents of the deleted document. Such a situation might arise when rights were added to the deleted document. This can be exploited through the diff feature and, partially, through the REST API by using versions such as `deleted:1` (where the number counts the deletions in the wiki and is thus guessable). Given sufficient rights, the attacker can also re-create the deleted document, thus extending the scope to any deleted document as long as the attacker has edit right in the location of the deleted document. This vulnerability has been patched in XWiki 14.10.8 and 15.3 RC1 by properly checking rights when deleted revisions of a document are accessed. The only workaround is to regularly clean deleted documents to minimize the potential exposure. Extra care should be taken when deleting sensitive documents that are protected individually (and not, e.g., by being placed in a protected space) or deleting a protected space as a whole.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-668	Exposure of Resource to Wrong Sphere

System	Score	Found at
epss	0.00337	https://api.first.org/data/v1/epss?cve=CVE-2023-37911
epss	0.00337	https://api.first.org/data/v1/epss?cve=CVE-2023-37911
epss	0.00337	https://api.first.org/data/v1/epss?cve=CVE-2023-37911
epss	0.00337	https://api.first.org/data/v1/epss?cve=CVE-2023-37911
epss	0.00337	https://api.first.org/data/v1/epss?cve=CVE-2023-37911
epss	0.00337	https://api.first.org/data/v1/epss?cve=CVE-2023-37911
epss	0.00337	https://api.first.org/data/v1/epss?cve=CVE-2023-37911
epss	0.00337	https://api.first.org/data/v1/epss?cve=CVE-2023-37911
epss	0.00337	https://api.first.org/data/v1/epss?cve=CVE-2023-37911
epss	0.00337	https://api.first.org/data/v1/epss?cve=CVE-2023-37911
epss	0.00337	https://api.first.org/data/v1/epss?cve=CVE-2023-37911
epss	0.00337	https://api.first.org/data/v1/epss?cve=CVE-2023-37911
cvssv3.1	6.5	https://extensions.xwiki.org/xwiki/bin/view/Extension/Index%20Application#HPermanentlydeleteallpages
generic_textual	MODERATE	https://extensions.xwiki.org/xwiki/bin/view/Extension/Index%20Application#HPermanentlydeleteallpages
ssvc	Track	https://extensions.xwiki.org/xwiki/bin/view/Extension/Index%20Application#HPermanentlydeleteallpages
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-gh64-qxh5-4m33
cvssv3.1	6.5	https://github.com/xwiki/xwiki-platform
generic_textual	MODERATE	https://github.com/xwiki/xwiki-platform
cvssv3.1	6.5	https://github.com/xwiki/xwiki-platform/commit/f471f2a392aeeb9e51d59fdfe1d76fccf532523f
generic_textual	MODERATE	https://github.com/xwiki/xwiki-platform/commit/f471f2a392aeeb9e51d59fdfe1d76fccf532523f
ssvc	Track	https://github.com/xwiki/xwiki-platform/commit/f471f2a392aeeb9e51d59fdfe1d76fccf532523f
cvssv3.1	6.5	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gh64-qxh5-4m33
cvssv3.1_qr	MODERATE	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gh64-qxh5-4m33
generic_textual	MODERATE	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gh64-qxh5-4m33
ssvc	Track	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gh64-qxh5-4m33
cvssv3.1	6.5	https://jira.xwiki.org/browse/XWIKI-20684
generic_textual	MODERATE	https://jira.xwiki.org/browse/XWIKI-20684
ssvc	Track	https://jira.xwiki.org/browse/XWIKI-20684
cvssv3.1	6.5	https://jira.xwiki.org/browse/XWIKI-20685
generic_textual	MODERATE	https://jira.xwiki.org/browse/XWIKI-20685
ssvc	Track	https://jira.xwiki.org/browse/XWIKI-20685
cvssv3.1	6.5	https://jira.xwiki.org/browse/XWIKI-20817
generic_textual	MODERATE	https://jira.xwiki.org/browse/XWIKI-20817
ssvc	Track	https://jira.xwiki.org/browse/XWIKI-20817
cvssv3.1	6.5	https://nvd.nist.gov/vuln/detail/CVE-2023-37911
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2023-37911

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2023-37911
		https://extensions.xwiki.org/xwiki/bin/view/Extension/Index%20Application#HPermanentlydeleteallpages
		https://github.com/xwiki/xwiki-platform
		https://github.com/xwiki/xwiki-platform/commit/f471f2a392aeeb9e51d59fdfe1d76fccf532523f
		https://jira.xwiki.org/browse/XWIKI-20684
		https://jira.xwiki.org/browse/XWIKI-20685
		https://jira.xwiki.org/browse/XWIKI-20817
CVE-2023-37911		https://nvd.nist.gov/vuln/detail/CVE-2023-37911
GHSA-gh64-qxh5-4m33		https://github.com/advisories/GHSA-gh64-qxh5-4m33
GHSA-gh64-qxh5-4m33		https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gh64-qxh5-4m33

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://extensions.xwiki.org/xwiki/bin/view/Extension/Index%20Application#HPermanentlydeleteallpages

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-10T18:36:31Z/ Found at https://extensions.xwiki.org/xwiki/bin/view/Extension/Index%20Application#HPermanentlydeleteallpages

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/xwiki/xwiki-platform

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/xwiki/xwiki-platform/commit/f471f2a392aeeb9e51d59fdfe1d76fccf532523f

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-10T18:36:31Z/ Found at https://github.com/xwiki/xwiki-platform/commit/f471f2a392aeeb9e51d59fdfe1d76fccf532523f

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gh64-qxh5-4m33

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-10T18:36:31Z/ Found at https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gh64-qxh5-4m33

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://jira.xwiki.org/browse/XWIKI-20684

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-10T18:36:31Z/ Found at https://jira.xwiki.org/browse/XWIKI-20684

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://jira.xwiki.org/browse/XWIKI-20685

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-10T18:36:31Z/ Found at https://jira.xwiki.org/browse/XWIKI-20685

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://jira.xwiki.org/browse/XWIKI-20817

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-10T18:36:31Z/ Found at https://jira.xwiki.org/browse/XWIKI-20817

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-37911

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.56519
EPSS Score	0.00337
Published At	April 7, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:52:02.693640+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.xwiki.platform/xwiki-platform-oldcore/CVE-2023-37911.yml	38.0.0