High severityNVD Advisory· Published Mar 2, 2023· Updated Mar 5, 2025

Two XWiki Platform UIs Expose Sensitive Information to an Unauthorized Actor

CVE-2023-26476

Description

XWiki Platform is a generic wiki platform. Starting in version 3.2-m3, users can deduce the content of the password fields by repeated call to LiveTableResults and WikisLiveTableResultsMacros. The issue can be fixed by upgrading to versions 14.7-rc-1, 13.4.4, or 13.10.9 and higher, or in version >= 3.2M3 by applying the patch manually on LiveTableResults and WikisLiveTableResultsMacros.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.xwiki.platform:xwiki-platform-livetable-uiMaven	>= 3.2-m3, < 13.4.4	13.4.4
org.xwiki.platform:xwiki-platform-wiki-ui-mainwikiMaven	>= 3.2-m3, < 13.4.4	13.4.4
org.xwiki.platform:xwiki-platform-livetable-uiMaven	>= 13.5.0, < 13.10.9	13.10.9
org.xwiki.platform:xwiki-platform-wiki-ui-mainwikiMaven	>= 13.5.0, < 13.10.9	13.10.9
org.xwiki.platform:xwiki-platform-livetable-uiMaven	>= 14.0.0, < 14.7-rc-1	14.7-rc-1
org.xwiki.platform:xwiki-platform-wiki-ui-mainwikiMaven	>= 14.0.0, < 14.7-rc-1	14.7-rc-1

Affected products

Xwiki/Xwiki Platformv5
Range: >= 3.2-m3, < 13.4.4

Patches

7f8825537c95

XWIKI-19949: Livetable results allow reconstructing password hashes using 768 requests

https://github.com/xwiki/xwiki-platformManuel LeducJul 21, 2022via ghsa

commit

3 files changed · +49 −2

xwiki-platform-core/xwiki-platform-livetable/xwiki-platform-livetable-ui/src/main/resources/XWiki/LiveTableResultsMacros.xml

+9 −1 modified

@@ -73,7 +73,15 @@
   ##
   #set($tablelist = [])
   #foreach($colname in $collist)
-    #livetable_addColumnToQuery($colname)
+    ## If a classname is defined and the class field corresponding to the column name,
+    ## we check the type of the field and skip it if it's Password.
+    #if ($className != '' &amp;&amp; $class.get($colname))
+      #if ($class.get($colname).classType != 'Password')
+        #livetable_addColumnToQuery($colname)
+      #end
+    #else
+      #livetable_addColumnToQuery($colname)
+    #end
   #end
   ##
   ## Tag filtering

xwiki-platform-core/xwiki-platform-livetable/xwiki-platform-livetable-ui/src/test/java/org/xwiki/livetable/LiveTableResultsTest.java

+31 −0 modified

@@ -20,6 +20,7 @@
 package org.xwiki.livetable;
 
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -44,6 +45,7 @@
 
 import com.xpn.xwiki.XWikiContext;
 import com.xpn.xwiki.doc.XWikiDocument;
+import com.xpn.xwiki.objects.classes.BaseClass;
 import com.xpn.xwiki.objects.classes.StaticListClass;
 import com.xpn.xwiki.plugin.tag.TagPluginApi;
 
@@ -500,6 +502,35 @@ void removeObfuscatedResultsWhenLimitIs0() throws Exception
         assertEquals(emptyList(), getRows());
     }
 
+    @Test
+    void cleanupAccessToPasswordFields() throws Exception
+    {
+        // Initialize an XClass with a password field.
+        DocumentReference documentReference = new DocumentReference("xwiki", "XWiki", "MyClass");
+        XWikiDocument xwikiDocument = this.xwiki.getDocument(documentReference, this.context);
+        BaseClass xClass = xwikiDocument.getXClass();
+        xClass.addPasswordField("password", "Password", 30);
+        this.xwiki.saveDocument(xwikiDocument, this.context);
+
+        when(this.queryService.hql(anyString())).thenReturn(this.query);
+        when(this.query.setLimit(anyInt())).thenReturn(this.query);
+        when(this.query.setOffset(anyInt())).thenReturn(this.query);
+        when(this.query.bindValues(any(Map.class))).thenReturn(this.query);
+        when(this.query.count()).thenReturn(0L);
+        when(this.query.execute()).thenReturn(Collections.emptyList());
+
+        this.request.put("classname", "XWiki.MyClass");
+        this.request.put("password", "abcd");
+        this.request.put("collist", "password");
+
+        renderPage();
+
+        verify(this.queryService).hql(", BaseObject as obj   "
+            + "where obj.name=doc.fullName "
+            + "and obj.className = :className "
+            + "and doc.fullName not in (:classTemplate1, :classTemplate2)  ");
+    }
+
     //
     // Helper methods
     //

xwiki-platform-core/xwiki-platform-wiki/xwiki-platform-wiki-ui/xwiki-platform-wiki-ui-mainwiki/src/main/resources/WikiManager/WikisLiveTableResultsMacros.xml

+9 −1 modified

@@ -57,7 +57,15 @@
   ##
   #set($tablelist = [])
   #foreach($colname in $collist)
-    #livetable_addColumnToQuery($colname)
+    ## If a classname is defined and the class field corresponding to the column name,
+    ## we check the type of the field and skip it if it's Password.
+    #if ($className != '' &amp;&amp; $class.get($colname))
+      #if ($class.get($colname).classType != 'Password')
+        #livetable_addColumnToQuery($colname)
+      #end
+    #else
+      #livetable_addColumnToQuery($colname)
+    #end
   #end
   ##
   ## Tag filtering

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-5cf8-vrr8-8hjmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-26476ghsaADVISORY
github.com/xwiki/xwiki-platform/commit/7f8825537c9523ccb5051abd78014d156f9791c8ghsax_refsource_MISCWEB
github.com/xwiki/xwiki-platform/security/advisories/GHSA-5cf8-vrr8-8hjmghsax_refsource_CONFIRMWEB
jira.xwiki.org/browse/XWIKI-19949ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000