关键漏洞信息 漏洞标题 XWiki Platform / XWIKI-22810: Passwords and emails stored in fields not named password/email exposed in xml.vm 漏洞类型与优先级 Type: Bug Priority: Blocker 影响版本与修复版本 Affects Version/s: 1.1 M2 Fix Version/s: 16.10.5, 16.4.7, ... 组件与标签 Component/s: Old Core Labels: attack_dataleak, attacker_view, security 描述与重现步骤 Steps to reproduce: 1. Ask for a password reset token for any user, e.g., "Admin". 2. Open (view the source if your browser doesn't display it). Expected result: The hash of the password reset token is not in the XML. Actual result: The hash of the password reset token is in the XML. 原因分析 The code only removes properties named and , leaving other fields exposed. This affects all password and email properties, particularly dangerous for non-random or non-hashed passwords outside . 影响与风险 Relatively low impact on XWiki due to account verification and randomly generated tokens. Still makes brute force attacks easier.