Exposure of Private Personal Information to an Unauthorized Actor Affecting org.xwiki.platform:xwiki-platform-rest-server package, versions [,15.10.9) [16.0.0-rc-1,16.3.0-rc-1)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGXWIKIPLATFORM-7926870
- published 11 Sep 2024
- disclosed 10 Sep 2024
- credit Xiqinger
Introduced: 10 Sep 2024
CVE-2024-45591 Open this link in a new tabHow to fix?
Upgrade org.xwiki.platform:xwiki-platform-rest-server to version 15.10.9, 16.3.0-rc-1 or higher.
Overview
Affected versions of this package are vulnerable to Exposure of Private Personal Information to an Unauthorized Actor via the REST API endpoint /xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/history. An attacker can access the modification history of any page, including modification times, version numbers and author details, by knowing the name of the page.
Note:
This exposure occurs regardless of the configured access rights or privacy settings of the wiki.
PoC
Make your wiki fully private
Log out
Open
/xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/historyand/xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/translations/de/historyon your XWiki installation.