Beware of Change Request Vulnerability in XWiki

CVSScvssV3_1: 7.7

The XWiki Change Request application, which allows requesting wiki changes without directly publishing edits, contains a vulnerability that could allow attackers to obtain user passwords.

Change Request by default allows editing any wiki page. Edited changes are exported to an XML file that anyone can download. An attacker could edit user profile pages to obtain password hashes stored in the profiles. They could also get passwords from any page containing password fields that users can view.

This affects all versions of Change Request. The impact depends on edit rights set in the wiki, as it requires the “Change request” right (default) and view access to target pages. It cannot be easily automated.

The fix denies editing pages containing password fields via Change Request. Existing requests on those pages still exist, so administrators must remove them. Change Request version 1.10 patches the issue, so administrators should upgrade immediately. You can also manually deny the “Change request” right on some spaces like the XWiki space to prevent edits to user profiles by default.

If you use XWiki, be sure to upgrade Change Request to the latest version or restrict its access to sensitive pages to stay protected from this password theft vulnerability. Contact your XWiki administrator if you have any other concerns.