CVE-2023-26476
📋 TL;DR
This vulnerability in XWiki Platform allows attackers to deduce password field contents through repeated calls to LiveTableResults and WikisLiveTableResultsMacros macros. It affects all XWiki installations running vulnerable versions, potentially exposing user credentials. The issue stems from information disclosure in these macros.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Attackers could systematically deduce password values, leading to credential theft, account compromise, and potential privilege escalation across the XWiki instance.
Likely Case
Attackers with access to the vulnerable macros could extract password information over time, compromising user accounts and potentially accessing sensitive wiki content.
If Mitigated
With proper access controls limiting macro execution to trusted users only, the attack surface is reduced, though the vulnerability still exists in the code.
🎯 Exploit Status
Exploitation requires access to call the vulnerable macros, which typically requires some level of authentication, but the technique is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.7-rc-1, 13.4.4, 13.10.9 or higher
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-5cf8-vrr8-8hjm
Restart Required: Yes
Instructions:
1. Upgrade to XWiki 14.7-rc-1 or higher, OR 13.4.4 or higher, OR 13.10.9 or higher. 2. Apply manual patch from commit 7f8825537c9523ccb5051abd78014d156f9791c8 if on version >= 3.2M3. 3. Restart XWiki service.
🔧 Temporary Workarounds
Restrict Macro Access
allLimit access to LiveTableResults and WikisLiveTableResultsMacros macros to trusted administrators only
Configure XWiki rights to restrict macro execution to admin users only
🧯 If You Can't Patch
- Implement strict access controls to limit who can execute LiveTableResults and WikisLiveTableResultsMacros macros
- Monitor logs for repeated calls to these macros and investigate suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check XWiki version against affected ranges. Review if LiveTableResults or WikisLiveTableResultsMacros macros are accessible to non-admin users.Check Version:
Check XWiki version in administration panel or via xwiki.cfg configuration fileVerify Fix Applied:
Verify XWiki version is 14.7-rc-1+, 13.4.4+, or 13.10.9+. Test that password field content cannot be deduced through repeated macro calls.📡 Detection & Monitoring
Log Indicators:
- Repeated calls to LiveTableResults or WikisLiveTableResultsMacros from same source
- Unusual macro execution patterns
Network Indicators:
- Multiple requests to macro endpoints in short timeframes
SIEM Query:
source="xwiki" AND (uri="*LiveTableResults*" OR uri="*WikisLiveTableResultsMacros*") | stats count by src_ip🔗 References
- https://github.com/xwiki/xwiki-platform/commit/7f8825537c9523ccb5051abd78014d156f9791c8
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-5cf8-vrr8-8hjm
- https://jira.xwiki.org/browse/XWIKI-19949
- https://github.com/xwiki/xwiki-platform/commit/7f8825537c9523ccb5051abd78014d156f9791c8
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-5cf8-vrr8-8hjm
- https://jira.xwiki.org/browse/XWIKI-19949
