XWiki Platform Legacy Old Core and Old Core Password and Email Exposure Vulnerability

A vulnerability exists in XWiki Platform Legacy Old Core and Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0. The issue arises in the XML export of a page, which can be accessed by any user with view rights by appending '?xpage=xml' to the URL. This export inadvertently includes password and email properties from the document, except for those explicitly named 'password' or 'email'. As a result, any user can retrieve the salted and hashed user account verification or password reset token. While the immediate impact of this exposure is low, as these tokens are randomly generated and not easily brute-forced, there is a risk if any custom extensions store passwords in plain text.

Impact

Exploitation of this vulnerability leads to the unauthorized inclusion of sensitive password and email properties in the XML export, with the potential exposure of hashed password reset tokens.

Reproduction

To reproduce this vulnerability, request a password reset token for any user. Then, access the user's profile page by appending '?xpage=xml' to the URL. The exported XML will contain the hashed password reset token, demonstrating the vulnerability.

Remediation

Users can upgrade to XWiki Platform versions 16.4.7, 16.10.5, or 17.2.0-rc-1, where this vulnerability has been fixed. Alternatively, if the XML export feature is not needed, the 'templates/xml.vm' file can be deleted from the deployed WAR.