CVE-2023-26476

Summary

XWiki Platform is a generic wiki platform. Starting in version 3.2-m3, users can deduce the content of the password fields by repeated call to LiveTableResults and WikisLiveTableResultsMacros. The issue can be fixed by upgrading to versions 14.7-rc-1, 13.4.4, or 13.10.9 and higher, or in version >= 3.2M3 by applying the patch manually on LiveTableResults and WikisLiveTableResultsMacros.

Affected Software

VendorProductVersion RangeStatus
xwikixwiki-platform>= 3.2-m3, < 13.4.4affected
xwikixwiki-platform>= 13.5.0, < 13.10.9affected
xwikixwiki-platform>= 14.0.0, < 14.7-rc-1affected

Weaknesses

  • CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References