CVE-2023-49280
📋 TL;DR
This vulnerability in XWiki Change Request allows attackers with change request permissions to edit pages containing password fields and export the changes via XML files, potentially exposing password hashes. It affects all versions of the Change Request application when default permissions are used. The risk is higher on wikis where users have broad change request rights.
💻 Affected Systems
- XWiki Change Request application
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain password hashes from user profiles or other documents containing password fields, potentially leading to credential compromise and unauthorized access.
Likely Case
Exposure of password hashes from user profiles that attackers could attempt to crack offline, particularly in environments with weak password policies.
If Mitigated
Minimal impact if change request rights are properly restricted on sensitive spaces or if the vulnerability is patched.
🎯 Exploit Status
Requires authenticated user with change request permissions. Cannot be easily automated according to advisory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Change Request 1.10
Vendor Advisory: https://github.com/xwiki-contrib/application-changerequest/security/advisories/GHSA-2fr7-cc7p-p45q
Restart Required: No
Instructions:
1. Upgrade XWiki Change Request application to version 1.10 or later. 2. Review and clean up any existing change requests for pages containing password fields as they won't be automatically removed by the patch.
🔧 Temporary Workarounds
Restrict Change Request Rights
allManually deny Change Request right on sensitive spaces, particularly the XWiki space containing user profiles.
Use XWiki administration interface to modify space permissions and deny Change Request right on XWiki space and other sensitive spaces.
🧯 If You Can't Patch
- Immediately restrict Change Request permissions on all spaces containing user profiles or password fields
- Monitor and audit all existing change requests for suspicious activity targeting password-containing pages
🔍 How to Verify
Check if Vulnerable:
Check if Change Request application version is below 1.10 and verify if users have Change Request rights on spaces containing password fields.Check Version:
Check XWiki administration interface or application directory for Change Request version information.Verify Fix Applied:
Confirm installation of Change Request 1.10 or later and verify that users cannot create change requests for pages containing password fields.📡 Detection & Monitoring
Log Indicators:
- Unusual change request creation activity targeting user profile pages or pages known to contain password fields
- Multiple XML export downloads following change request submissions
Network Indicators:
- Increased XML file downloads from change request functionality
SIEM Query:
Search for change request creation events targeting pages with 'password' in title or content, followed by XML export activities.🔗 References
- https://github.com/xwiki-contrib/application-changerequest/commit/ff0f5368ea04f0e4aa7b33821c707dc68a8c5ca8
- https://github.com/xwiki-contrib/application-changerequest/security/advisories/GHSA-2fr7-cc7p-p45q
- https://jira.xwiki.org/browse/CRAPP-302
- https://github.com/xwiki-contrib/application-changerequest/commit/ff0f5368ea04f0e4aa7b33821c707dc68a8c5ca8
- https://github.com/xwiki-contrib/application-changerequest/security/advisories/GHSA-2fr7-cc7p-p45q
- https://jira.xwiki.org/browse/CRAPP-302
