XWiki Platform is a generic wiki platform. The REST API exposes the history of any page in XWiki of which the attacker knows the name. The exposed information includes for each modification of the page the time of the modification, the version number, the author of the modification (both username and displayed name) and the version comment. This information is exposed regardless of the rights setup, and even when the wiki is configured to be fully private. On a private wiki, this can be tested by accessing /xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/history, if this shows the history of the main page then the installation is vulnerable. This has been patched in XWiki 15.10.9 and XWiki 16.3.0RC1.
References
Link | Resource |
---|---|
https://github.com/xwiki/xwiki-platform/commit/26482ee5d29fc21f31134d1ee13db48716e89e0f | Patch |
https://github.com/xwiki/xwiki-platform/commit/9cbca9808300797c67779bb9a665d85cf9e3d4b8 | Patch |
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pvmm-55r5-g3mm | Vendor Advisory |
https://jira.xwiki.org/browse/XWIKI-22052 | Exploit Issue Tracking Patch Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
20 Sep 2024, 19:55
Type | Values Removed | Values Added |
---|---|---|
First Time |
Xwiki
Xwiki xwiki |
|
CPE | cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* | |
References | () https://github.com/xwiki/xwiki-platform/commit/26482ee5d29fc21f31134d1ee13db48716e89e0f - Patch | |
References | () https://github.com/xwiki/xwiki-platform/commit/9cbca9808300797c67779bb9a665d85cf9e3d4b8 - Patch | |
References | () https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pvmm-55r5-g3mm - Vendor Advisory | |
References | () https://jira.xwiki.org/browse/XWIKI-22052 - Exploit, Issue Tracking, Patch, Vendor Advisory | |
Summary |
|
10 Sep 2024, 16:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-09-10 16:15
Updated : 2024-09-20 19:55
NVD link : CVE-2024-45591
Mitre link : CVE-2024-45591
CVE.ORG link : CVE-2024-45591
JSON object : View
Products Affected
xwiki
- xwiki