CVE-2026-48048

描述

### Impact XWiki discovered that the patch for GHSA-5cf8-vrr8-8hjm was insufficient and with slightly modified parameters to the `LiveTableResults`, it is still possible to discover password hashes one bit at a time, so with 768 requests, the full password salt and hash can be retrieved of a user. ### Patches The check for password (and email properties) has been adjusted in XWiki 18.0.0RC1, 17.10.13, 17.4.9 and 16.10.17. ### Workarounds The [patch](https://github.com/xwiki/xwiki-platform/commit/c4442716b02ffcdaa9d5e703b1db6203e36456fa#diff-5a739e5865b1f1ad9d79b724791be51b0095a0170cc078911c940478b13b949a) can be applied manually to the wiki page `XWiki.LiveTableResultsMacros`. ### Resources * https://jira.xwiki.org/browse/XWIKI-23875 * https://github.com/xwiki/xwiki-platform/commit/c4442716b02ffcdaa9d5e703b1db6203e36456fa

受影響套件(1)

• Maven/org.xwiki.platform:xwiki-platform-livetable-ui>= 6.2.1, < 16.10.17

CVSS 分數

參考連結(4)

• PATCHhttps://github.com/xwiki/xwiki-platform
• WEBhttps://github.com/xwiki/xwiki-platform/commit/c4442716b02ffcdaa9d5e703b1db6203e36456fa
• WEBhttps://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rh28-mqj4-8x59
• WEBhttps://jira.xwiki.org/browse/XWIKI-23875