XWiki Platform Legacy Old Core and Old Core Database List Property Password Exposure Vulnerability

A vulnerability exists in XWiki Platform Legacy Old Core and Old Core versions 9.8-rc-1 prior to 16.4.7, 16.5.0-rc-1 prior to 16.10.5, and 17.0.0-rc-1 prior to 17.2.0-rc-1. Any user with editing rights can create an XClass that includes a database list property referencing a password property. When an object of this XClass is added, the password property's content is revealed. This allows users to access password hashes of all users, and potentially other password properties stored as plain text or hashes, from pages they can view.

Impact

Exploitation of this vulnerability allows for unauthorized access to password hashes of all users on the wiki, and possibly other accessible password properties, depending on the storage method, from viewed pages.

Reproduction

To reproduce this vulnerability, edit a document using the class editor. Add a database list property named 'password' and set the 'XWiki Class Name' to 'XWiki.XWikiUsers', with 'Id Field Name' as 'doc.fullName' and 'Value Field Name' as 'password'. After saving the XClass, use the Object editor to add an object of the created XClass. The select for the 'password' will display username and password hashes of all users on the wiki.

Remediation

Users can update to XWiki versions 16.4.7, 16.10.5, or 17.2.0-rc-1, where this vulnerability has been fixed by disallowing the use of password properties in database list properties. Queries for email properties are also restricted when email obfuscation is enabled.