Lucene search

K
cvelistGitHub_MCVELIST:CVE-2023-26476
HistoryMar 02, 2023 - 6:02 p.m.

CVE-2023-26476 Two XWiki Platform UIs Expose Sensitive Information to an Unauthorized Actor

2023-03-0218:02:20
CWE-200
GitHub_M
www.cve.org
7
xwiki platform
sensitive information
unauthorized actor
livetableresults
wikislivetableresultsmacros
upgrade
patch

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

53.9%

XWiki Platform is a generic wiki platform. Starting in version 3.2-m3, users can deduce the content of the password fields by repeated call to LiveTableResults and WikisLiveTableResultsMacros. The issue can be fixed by upgrading to versions 14.7-rc-1, 13.4.4, or 13.10.9 and higher, or in version >= 3.2M3 by applying the patch manually on LiveTableResults and WikisLiveTableResultsMacros.

CNA Affected

[
  {
    "vendor": "xwiki",
    "product": "xwiki-platform",
    "versions": [
      {
        "version": ">= 3.2-m3, < 13.4.4",
        "status": "affected"
      },
      {
        "version": ">= 13.5.0, < 13.10.9",
        "status": "affected"
      },
      {
        "version": ">= 14.0.0, < 14.7-rc-1",
        "status": "affected"
      }
    ]
  }
]

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

53.9%

Related for CVELIST:CVE-2023-26476