CVE-2024-31464

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 5.0-rc-1 through 14.10.18 XWiki Platform versions 14.10.19 through 15.5.3 XWiki Platform versions 15.5.4 through 15.9-rc-1

Description The issue allows access to the hash of a password by using the diff feature of the history whenever the object storing the password is deleted. An attacker with rights to edit a user's page can exploit this to access the hash password of a user. This vulnerability is normally prevented on user profiles by default, except for users with Admin rights. It also impacts extensions that use passwords stored in xobjects, depending on the rights of those pages. There is no way to be 100% sure if this vulnerability has been exploited, as an attacker with enough privileges could have deleted the revision where the xobject was deleted after rolling back the deletion.

Recommendations For XWiki Platform versions 5.0-rc-1 through 14.10.18, upgrade to version 14.10.19 or later. For XWiki Platform versions 14.10.19 through 15.5.3, upgrade to version 15.5.4 or later. For XWiki Platform versions 15.5.4 through 15.9-rc-1, upgrade to version 15.9-rc-1 or later. As a temporary workaround, consider ensuring that user pages are properly protected by not allowing edit rights to other users than Admin and the owner of the profile. Change passwords on pages with a user password xobject that have in their history a revision where the object has been deleted.