Name of the Vulnerable Software and Affected Versions:

XWiki Platform versions 1.1 through 16.4.6

XWiki Platform versions 16.5.0-rc-1 through 16.10.4

XWiki Platform versions 17.0.0-rc-1 through 17.1.0

Description:

XWiki Platform Legacy Old Core and XWiki Platform Old Core are affected by an issue where the XML export of a page, accessible to any user with view rights by appending `?xpage=xml` to the URL, includes `password` and `email` properties stored on a document – even if these properties are not explicitly named `password` or `email`.

Recommendations:

XWiki Platform versions prior to 16.4.7 should be updated.

XWiki Platform versions prior to 16.10.5 should be updated.

XWiki Platform versions prior to 17.2.0-rc-1 should be updated.

If the XML export functionality is not required, delete the `templates/xml.vm` file from the deployed WAR file.