GHSA-rh28-mqj4-8x59HighCVSS 7.5

XWiki Platform's Livetable results still allow reconstructing password hashes using 768 requests

Published
May 26, 2026
Last Modified
May 26, 2026

🔗 CVE IDs covered (1)

CVE-2026-48048

📋 Description

Impact

XWiki discovered that the patch for GHSA-5cf8-vrr8-8hjm was insufficient and with slightly modified parameters to the LiveTableResults, it is still possible to discover password hashes one bit at a time, so with 768 requests, the full password salt and hash can be retrieved of a user.

Patches

The check for password (and email properties) has been adjusted in XWiki 18.0.0RC1, 17.10.13, 17.4.9 and 16.10.17.

Workarounds

The patch can be applied manually to the wiki page XWiki.LiveTableResultsMacros.

Resources

  • https://jira.xwiki.org/browse/XWIKI-23875
  • https://github.com/xwiki/xwiki-platform/commit/c4442716b02ffcdaa9d5e703b1db6203e36456fa

🎯 Affected products3

  • maven/org.xwiki.platform:xwiki-platform-livetable-ui:>= 6.2.1, < 16.10.17
  • maven/org.xwiki.platform:xwiki-platform-livetable-ui:>= 17.0.0-rc-1, < 17.4.9
  • maven/org.xwiki.platform:xwiki-platform-livetable-ui:>= 17.5.0-rc-1, < 17.10.3

🔗 References (4)