GHSA-5cf8-vrr8-8hjm

Suggest an improvement
Source
https://github.com/advisories/GHSA-5cf8-vrr8-8hjm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-5cf8-vrr8-8hjm/GHSA-5cf8-vrr8-8hjm.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-5cf8-vrr8-8hjm
Aliases
Published
2023-03-03T22:47:49Z
Modified
2023-11-01T05:01:32.220394Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
XWiki Platform packages Expose Sensitive Information to an Unauthorized Actor
Details

Impact

Users can deduce the content of the password fields by repeated call to LiveTableResults and WikisLiveTableResultsMacros.

Patches

The issue is applied on versions 14.7-rc-1, 13.4.4, and 13.10.9.

Workarounds

The issue can be fixed by upgrading to versions 14.7-rc-1, 13.4.4, and 13.10.9 and higher, or in version >= 3.2M3 by applying the patch manually on LiveTableResults and WikisLiveTableResultsMacros.

References

  • Jira: https://jira.xwiki.org/browse/XWIKI-19949
  • Patch: https://github.com/xwiki/xwiki-platform/commit/7f8825537c9523ccb5051abd78014d156f9791c8

For more information

If you have any questions or comments about this advisory:

Database specific
{
    "nvd_published_at": "2023-03-02T19:15:00Z",
    "github_reviewed_at": "2023-03-03T22:47:49Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-200",
        "CWE-307"
    ]
}
References

Affected packages

Maven / org.xwiki.platform:xwiki-platform-livetable-ui

Package

Name
org.xwiki.platform:xwiki-platform-livetable-ui
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-livetable-ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.2-m3
Fixed
13.4.4

Maven / org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki

Package

Name
org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-wiki-ui-mainwiki

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.2-m3
Fixed
13.4.4

Maven / org.xwiki.platform:xwiki-platform-livetable-ui

Package

Name
org.xwiki.platform:xwiki-platform-livetable-ui
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-livetable-ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13.5.0
Fixed
13.10.9

Maven / org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki

Package

Name
org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-wiki-ui-mainwiki

Affected ranges

Type
ECOSYSTEM
Events
Introduced
13.5.0
Fixed
13.10.9

Maven / org.xwiki.platform:xwiki-platform-livetable-ui

Package

Name
org.xwiki.platform:xwiki-platform-livetable-ui
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-livetable-ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14.0.0
Fixed
14.7-rc-1

Maven / org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki

Package

Name
org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-wiki-ui-mainwiki

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14.0.0
Fixed
14.7-rc-1