CVE-2023-26476

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-26476

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-26476.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-26476

Aliases

GHSA-5cf8-vrr8-8hjm

Published

2023-03-02T18:02:20Z

Modified

2025-10-30T16:09:13.369768Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Two XWiki Platform UIs Expose Sensitive Information to an Unauthorized Actor

Details

XWiki Platform is a generic wiki platform. Starting in version 3.2-m3, users can deduce the content of the password fields by repeated call to LiveTableResults and WikisLiveTableResultsMacros. The issue can be fixed by upgrading to versions 14.7-rc-1, 13.4.4, or 13.10.9 and higher, or in version >= 3.2M3 by applying the patch manually on LiveTableResults and WikisLiveTableResultsMacros.

Database specific

{
    "cwe_ids": [
        "CWE-200"
    ]
}

References

Affected packages

Git / github.com/xwiki/xwiki-commons

Affected ranges

Type: GIT
Repo: https://github.com/xwiki/xwiki-commons
Events: Introduced

09af15d4432bf2c8262f37542a0a7ffdbb719aea

Fixed

48e84afcd78dddb228a53067132edcaace7c65d2

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type: GIT
Repo: https://github.com/xwiki/xwiki-platform
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

7f8825537c9523ccb5051abd78014d156f9791c8

Affected versions

xwiki-application-calendar-1.*

xwiki-application-calendar-1.0

xwiki-platform-7.*

xwiki-platform-7.3-milestone-2

xwiki-platform-7.4-milestone-1

xwiki-platform-7.4-milestone-2

xwiki-platform-8.*

xwiki-platform-8.0-milestone-1

xwiki-platform-8.0-milestone-2

xwiki-platform-8.1-milestone-1

xwiki-platform-8.1-milestone-2

xwiki-platform-8.2-milestone-1

xwiki-platform-8.2-milestone-2

xwiki-platform-8.3-milestone-1

xwiki-platform-9.*

xwiki-platform-9.9-rc-2

xwiki-plugin-tag-1.*

xwiki-plugin-tag-1.1

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/xwiki/xwiki-platform/commit/7f8825537c9523ccb5051abd78014d156f9791c8",
        "target": {
            "file": "xwiki-platform-core/xwiki-platform-livetable/xwiki-platform-livetable-ui/src/test/java/org/xwiki/livetable/LiveTableResultsTest.java"
        },
        "deprecated": false,
        "id": "CVE-2023-26476-ff319067",
        "signature_version": "v1",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "89682815596848995582458015367900842712",
                "32805766459744904004856476091149137130",
                "232303136155003374610688648486012515596",
                "60753946066203983384981238966024109027",
                "198752432658054770709346246597400837929",
                "140764397076062067713823077114380169967",
                "53298633393457966238331907775288049311",
                "205019071073179689961786149771938169102",
                "245744189568848017656969703867808315277"
            ]
        }
    }
]