CVE CyberSecurity Database News

CVE-2022-41933 - XWiki Platform Password Reset Vulnerability Exposes Plain Text Passwords

Poster -

XWiki Platform, a popular wiki platform used for various applications, has been found to have a critical security vulnerability (CVE-2022-41933), affecting versions 13.1RC1 and newer. The issue lies in the "reset a forgotten password" feature, which causes the password to be stored in plain text within the database. This flaw, when combined with other personal data leak vulnerabilities such as GHSA-599v-w48h-rjrm, can expose user data and passwords to potential attackers. This vulnerability specifically affects users of the main wiki, with subwiki users not being impacted due to a discovered bug.

Exploit Details

The vulnerability stems from the password reset process, which is accessible through the "Forgot your password" link on the login view. This vulnerability does not impact the functionality of users changing their own passwords or administrators changing user passwords.

The problem arises when passwords are reset using the aforementioned feature, causing the new password to be stored in plain text format within the database. This raises serious security concerns, as an attacker gaining access to the database could exploit this flaw to gain unauthorized access to user accounts.

Patch & Migration

XWiki has released security patches for this vulnerability in version 14.6RC1, 14.4.3, and 13.10.8. The patch involves migrating impacted users and the history of the page so that no plain text passwords remain in the database. In addition, the migration process includes notifying users of the potential disclosure of their passwords.

By default, two emails are automatically sent to impacted users. The first email informs users of the possibility that their passwords have been leaked. The second email utilizes the reset password feature, encouraging users to create a new password. Administrators also have additional migration options, such as choosing whether to reset user passwords (default) or keep them hashed.

It is essential to note that if the user password reset option is selected, users will not be able to log in until they create a new password. In both cases, users will receive emails to inform them of the issue and encourage them to change their passwords.

References

- XWiki Security Advisory
- CVE-2022-41933
- GHSA-599v-w48h-rjrm

Conclusion

Users of XWiki Platform versions 13.1RC1 and newer should immediately update to the latest patched versions (14.6RC1, 14.4.3, or 13.10.8) to address the CVE-2022-41933 vulnerability. In addition, administrators should ensure that appropriate migration options are set and that users are informed of the potential security risks posed by this flaw. The timely patching and upgrading of XWiki Platform installations are crucial steps to mitigating the risks associated with this vulnerability and keeping user data secure.

Timeline

Published on: 11/23/2022 21:15:00 UTC
Last modified on: 12/02/2022 16:57:00 UTC