Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users without the right to view documents can deduce their existence by repeated Livetable queries. The issue has been patched in XWiki 14.6RC1, 13.10.8, and 14.4.3, the response is not properly cleaned up of obfuscated entries. As a workaround, The patch for the document `XWiki.LiveTableResultsMacros` can be manually applied or a XAR archive of a patched version can be imported, on versions 12.10.11, 13.9-rc-1, and 13.4.4. There are no known workarounds for this issue.

Remediation

References

https://github.com/xwiki/xwiki-platform/commit/1450b6e3c69ac7df25e5a2571186d1f43402facd#diff-5a739e5865b1f1ad9d79b724791be51b0095a0170cc078911c940478b13b949a

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p2x4-6ghr-6vmq

https://jira.xwiki.org/browse/XWIKI-19999

Related Vulnerabilities

CVE-2021-41184 Vulnerability in maven package org.webjars.npm:jquery-ui

CVE-2021-23370 Vulnerability in npm package swiper

CVE-2023-27602 Vulnerability in maven package org.apache.linkis:linkis-storage-script-dev-server

CVE-2023-3635 Vulnerability in maven package com.squareup.okio:okio

CVE-2021-23346 Vulnerability in npm package html-parse-stringify2

Severity

Medium

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Patch Third Party Advisory Exploit Issue Tracking Vendor Advisory NVD-CWE-Other