Data leak of password hash through xwiki change request
CVE-2023-49280

7.7HIGH

Key Information:

Vendor
XWiki
Status
Application-changerequest
Vendor
CVE Published:
4 December 2023

Summary

The XWiki Change Request application exposes a vulnerability that allows unauthorized users to edit pages and download sensitive XML files containing password hashes. By default, the Change Request feature permits users to edit any page, enabling a potential attacker to manipulate user profiles. After making unauthorized edits, attackers can download an XML file that may contain sensitive information, including password hashes, for any document a user is permitted to view. This vulnerability affects all versions of the Change Request application, necessitating immediate action from administrators to restrict editing rights for any pages containing password fields. The recently provided patch in Change Request 1.10 can help mitigate the risk, but administrators must also manually address existing change requests. A workaround exists by manually revoking Change Request rights in certain spaces, particularly in user profile areas.

Affected Version(s)

application-changerequest >= 0.1, < 1.10

References

https://github.com/xwiki-contrib/application-changereques...
x_refsource_CONFIRM
https://github.com/xwiki-contrib/application-changereques...
x_refsource_MISC
https://jira.xwiki.org/browse/CRAPP-302
x_refsource_MISC

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.