CVE-2023-26476
02.03.2023, 19:15
XWiki Platform is a generic wiki platform. Starting in version 3.2-m3, users can deduce the content of the password fields by repeated call to `LiveTableResults` and `WikisLiveTableResultsMacros`. The issue can be fixed by upgrading to versions 14.7-rc-1, 13.4.4, or 13.10.9 and higher, or in version >= 3.2M3 by applying the patch manually on `LiveTableResults` and `WikisLiveTableResultsMacros`.Enginsight
| Vendor | Product | Version |
|---|---|---|
| xwiki | xwiki | 3.3 ≤ 𝑥 < 13.4.4 |
| xwiki | xwiki | 13.5.0 ≤ 𝑥 < 13.10.9 |
| xwiki | xwiki | 14.0 ≤ 𝑥 < 14.7 |
| xwiki | xwiki | 3.2:milestone3 |
| xwiki | xwiki | 14.7:rc1 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-200 - Exposure of Sensitive Information to an Unauthorized ActorThe product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
- CWE-307 - Improper Restriction of Excessive Authentication AttemptsThe product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.
References