CVE-2023-26476 Two XWiki Platform UIs Expose Sensitive Information to an Unauthorized Actor

2023-03-0218:02:20

CWE-200

GitHub_M

www.cve.org

xwiki platform

sensitive information

unauthorized actor

livetableresults

wikislivetableresultsmacros

upgrade

patch

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

49.5%

JSON

XWiki Platform is a generic wiki platform. Starting in version 3.2-m3, users can deduce the content of the password fields by repeated call to LiveTableResults and WikisLiveTableResultsMacros. The issue can be fixed by upgrading to versions 14.7-rc-1, 13.4.4, or 13.10.9 and higher, or in version >= 3.2M3 by applying the patch manually on LiveTableResults and WikisLiveTableResultsMacros.

CNA Affected

[
  {
    "vendor": "xwiki",
    "product": "xwiki-platform",
    "versions": [
      {
        "version": ">= 3.2-m3, < 13.4.4",
        "status": "affected"
      },
      {
        "version": ">= 13.5.0, < 13.10.9",
        "status": "affected"
      },
      {
        "version": ">= 14.0.0, < 14.7-rc-1",
        "status": "affected"
      }
    ]
  }
]