Moderate severityNVD Advisory· Published Nov 23, 2022· Updated Apr 22, 2025
Exposure of Sensitive Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-livetable-ui
CVE-2022-41935
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users without the right to view documents can deduce their existence by repeated Livetable queries. The issue has been patched in XWiki 14.6RC1, 13.10.8, and 14.4.3, the response is not properly cleaned up of obfuscated entries. As a workaround, The patch for the document XWiki.LiveTableResultsMacros can be manually applied or a XAR archive of a patched version can be imported, on versions 12.10.11, 13.9-rc-1, and 13.4.4. There are no known workarounds for this issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-livetable-uiMaven | >= 12.10.11, < 13.10.8 | 13.10.8 |
org.xwiki.platform:xwiki-platform-livetable-uiMaven | >= 14.0.0, < 14.4.3 | 14.4.3 |
org.xwiki.platform:xwiki-platform-livetable-uiMaven | >= 14.5.0, < 14.6-rc-1 | 14.6-rc-1 |
Affected products
1- Range: >= 12.10.11, < 13.10.8
Patches
11450b6e3c69aXWIKI-19999: Livetable sources filtering improvement
2 files changed · +36 −1
xwiki-platform-core/xwiki-platform-livetable/xwiki-platform-livetable-ui/src/main/resources/XWiki/LiveTableResultsMacros.xml+6 −1 modified@@ -336,7 +336,12 @@ #set ($query = $query.setLimit($limit).setOffset($offset).bindValues($sqlParams)) #set($items = $query.execute()) #set($discard = $map.put('totalrows', $query.count())) - #set($discard = $map.put('returnedrows', $mathtool.min($items.size(), $limit))) + #if ($limit > 0) + #set($discard = $map.put('returnedrows', $mathtool.min($items.size(), $limit))) + #else + ## When the limit is 0, it's equivalent to no limit at all and the actual number of returned results can be used. + #set($discard = $map.put('returnedrows', $items.size())) + #end #set($discard = $map.put('offset', $mathtool.add($offset, 1))) #set($rows = []) #foreach($item in $items)
xwiki-platform-core/xwiki-platform-livetable/xwiki-platform-livetable-ui/src/test/java/org/xwiki/livetable/LiveTableResultsTest.java+30 −0 modified@@ -47,6 +47,7 @@ import com.xpn.xwiki.objects.classes.StaticListClass; import com.xpn.xwiki.plugin.tag.TagPluginApi; +import static java.util.Collections.emptyList; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertTrue; @@ -470,6 +471,35 @@ void removeObfuscatedResultsWhenTotalrowsLowerThanLimit() throws Exception assertEquals("XWiki.Viewable", viewable.get("doc_fullName")); } + @Test + void removeObfuscatedResultsWhenLimitIs0() throws Exception + { + when(this.queryService.hql(anyString())).thenReturn(this.query); + when(this.query.setLimit(anyInt())).thenReturn(this.query); + when(this.query.setOffset(anyInt())).thenReturn(this.query); + when(this.query.bindValues(any(Map.class))).thenReturn(this.query); + when(this.query.count()).thenReturn(1L); + when(this.query.execute()).thenReturn(Arrays.asList("XWiki.NotViewable")); + + when(this.oldcore.getMockContextualAuthorizationManager() + .hasAccess(same(Right.VIEW), eq(new DocumentReference("xwiki", "XWiki", "NotViewable")))).thenReturn(false); + + this.request.put("limit", "0"); + this.request.put("classname", ""); + this.request.put("collist", "doc.title,doc.location,doc.content"); + this.request.put("doc.title", "Sandbo"); + this.request.put("doc.location", "Sandbox.TestPage3"); + this.request.put("doc.content", "dummy"); + this.request.put("limit", "0"); + + renderPage(); + + assertEquals(0, getTotalRowCount()); + assertEquals(0, getRowCount()); + assertEquals(1, getOffset()); + assertEquals(emptyList(), getRows()); + } + // // Helper methods //
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-p2x4-6ghr-6vmqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-41935ghsaADVISORY
- github.com/xwiki/xwiki-platform/commit/1450b6e3c69ac7df25e5a2571186d1f43402facdghsaWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-p2x4-6ghr-6vmqghsaWEB
- jira.xwiki.org/browse/XWIKI-19999ghsaWEB
News mentions
0No linked articles in our index yet.