CVE-2022-41935

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.6RC1 XWiki Platform versions prior to 13.10.8 XWiki Platform versions prior to 14.4.3

Description The issue allows users without the right to view documents to deduce their existence by repeated Livetable queries. This is possible because the response is not properly cleaned up of obfuscated entries. By iteratively extending the match, the full content of the title or content can be discovered. Several tests can be combined in a single request to use binary search to narrow down the actual match from a list of possible characters or words.

Recommendations For versions prior to 14.6RC1, update to version 14.6RC1 or later. For versions prior to 13.10.8, update to version 13.10.8 or later. For versions prior to 14.4.3, update to version 14.4.3 or later. As a temporary workaround for versions 12.10.11, 13.9-rc-1, and 13.4.4, consider manually applying the patch for the document XWiki.LiveTableResultsMacros or importing a XAR archive of a patched version.