CVE-2023-26476: 
Java vulnerability analysis and mitigation

CVE-2023-26476 is a high severity vulnerability affecting XWiki Platform's LiveTable functionality. The vulnerability was discovered in July 2022 and affects versions from 3.2-m3 onwards. It was patched in versions 14.7-rc-1, 13.4.4, and 13.10.9. The vulnerability allows unauthorized users to expose sensitive password hash information through the LiveTable results feature (GitHub Advisory).

The vulnerability has a CVSS v3.1 score of 7.5 (High) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue allows attackers to deduce the content of password fields through repeated calls to LiveTableResults and WikisLiveTableResultsMacros. The attack can be executed with approximately 768 requests to discover the full salt and password hash, with just 384 requests potentially being sufficient for a successful attack on weak passwords (Jira XWiki).

The vulnerability enables unauthorized actors to extract password hashes and salts from the system. This exposure allows attackers to conduct offline dictionary attacks against the password hashes. The attack is particularly effective against users not using external authentication systems, potentially compromising user account security (GitHub Advisory).

The vulnerability has been fixed in XWiki Platform versions 14.7-rc-1, 13.4.4, and 13.10.9. Users are advised to upgrade to these patched versions. For those unable to upgrade immediately, the issue can be fixed by manually applying the patch on LiveTableResults and WikisLiveTableResultsMacros (GitHub Advisory).