Any user with edit right can access all user's password hashes or other accessible password properties through Database List Properties

Steps to reproduce:

1. Edit any document with the class editor.
2. Add a property of type "Database List" named "password".
3. Set "XWiki Class Name" to "XWiki.XWikiUsers"
4. Set "Id Field Name" to "doc.fullName"
5. Set "Value Field Name" to "password"
6. Save the XClass and edit the page with the Object editor. Add an object of the created XClass and examine the select for the "password".

Expected result:

There aren't any values present in the select.

Actual result:

The select contains username and password hashes of all users of the wiki.

Note that if we had targeted an XClass with a password property stored in plain text, the passwords would have been displayed in plain text. Pages that aren't accessible are filtered out, however. This vulnerability would also affect the mail server configuration before XWIKI-20519 had been fixed.

The affects version is the fix version of XWIKI-14700, before that fix any query could be executed that could of course also reveal password of inaccessible pages.

Note for fixing: this not only concerns the object editor but also the REST API for retrieving values, both multiple and single values, see also XWIKI-22736 (but I don't believe those vulnerabilities can be combined, from what I could see, Database List properties always check rights on the results, even for single values).