CVE-2023-49280

Name of the Vulnerable Software and Affected Versions XWiki Change Request versions prior to 1.10

Description The issue allows an attacker to obtain password hashes of users by editing user profiles and downloading the XML file created by the change request. This vulnerability impacts all versions of Change Request, but the impact depends on the rights set on the wiki, requiring the user to have the Change request right and view rights on the page to target. The issue cannot be easily exploited in an automated way.

Recommendations For versions prior to 1.10, upgrade to Change Request 1.10 to apply the patch that denies users the right to edit pages containing password fields with change requests. As a temporary workaround, consider denying the Change request right on some spaces, such as the XWiki space, which includes any user profile by default.