GHSA-5cf8-vrr8-8hjm

Source

https://github.com/advisories/GHSA-5cf8-vrr8-8hjm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-5cf8-vrr8-8hjm/GHSA-5cf8-vrr8-8hjm.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5cf8-vrr8-8hjm

Aliases

CVE-2023-26476

Published

2023-03-03T22:47:49Z

Modified

2023-11-08T04:12:01.656720Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

XWiki Platform packages Expose Sensitive Information to an Unauthorized Actor

Details

Impact

Users can deduce the content of the password fields by repeated call to LiveTableResults and WikisLiveTableResultsMacros.

Patches

The issue is applied on versions 14.7-rc-1, 13.4.4, and 13.10.9.

Workarounds

The issue can be fixed by upgrading to versions 14.7-rc-1, 13.4.4, and 13.10.9 and higher, or in version >= 3.2M3 by applying the patch manually on LiveTableResults and WikisLiveTableResultsMacros.

References

Jira: https://jira.xwiki.org/browse/XWIKI-19949
Patch: https://github.com/xwiki/xwiki-platform/commit/7f8825537c9523ccb5051abd78014d156f9791c8

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2023-03-02T19:15:00Z",
    "github_reviewed_at": "2023-03-03T22:47:49Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-200",
        "CWE-307"
    ]
}

References

Affected packages

Maven

org.xwiki.platform:xwiki-platform-livetable-ui

Package

Name: org.xwiki.platform:xwiki-platform-livetable-ui; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-livetable-ui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.2-m3

Fixed

13.4.4

org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki

Package

Name: org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-wiki-ui-mainwiki

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.2-m3

Fixed

13.4.4

org.xwiki.platform:xwiki-platform-livetable-ui

Package

Name: org.xwiki.platform:xwiki-platform-livetable-ui; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-livetable-ui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

13.5.0

Fixed

13.10.9

org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki

Package

Name: org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-wiki-ui-mainwiki

Affected ranges

Type: ECOSYSTEM
Events: Introduced

13.5.0

Fixed

13.10.9

org.xwiki.platform:xwiki-platform-livetable-ui

Package

Name: org.xwiki.platform:xwiki-platform-livetable-ui; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-livetable-ui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

14.0.0

Fixed

14.7-rc-1

org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki

Package

Name: org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-wiki-ui-mainwiki

Affected ranges

Type: ECOSYSTEM
Events: Introduced

14.0.0

Fixed

14.7-rc-1