Advisories for Maven/Org.xwiki.platform/Xwiki-Platform-Legacy-Oldcore package

2025

XWiki leaks password hashes and other accessible password properties

Any user with edit right on a page of the wiki can create an XClass with a database list property that references a password property, for example the password hash that is stored for users. When adding an object of that XClass, the content of that password property is displayed. In practice, with a standard rights setup, this means that any user with an account on the wiki can access …

XWiki exposes passwords and emails stored in fields not named password/email in xml.vm

The XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren't named password or email. This allows any user to obtain the salted and hashed user account validation or password reset token. As those tokens are randomly generated strings, the immediate impact of …

2023