CVE-2024-46979

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to get access to notification filters of any user by using a URL such as `<hostname>xwiki/bin/get/XWiki/Notifications/Code/NotificationFilterPreferenceLivetableResults?outputSyntax=plain&type=custom&user=<username>`. This vulnerability impacts all versions of XWiki since 13.2-rc-1. The filters do not provide much information (they mainly contain references which are public data in XWiki), though some info could be used in combination with other vulnerabilities. This vulnerability has been patched in XWiki 14.10.21, 15.5.5, 15.10.1, 16.0RC1. The patch consists in checking the rights of the user when sending the data. Users are advised to upgrade. It's possible to workaround the vulnerability by applying manually the patch: it's possible for an administrator to edit directly the document `XWiki.Notifications.Code.NotificationFilterPreferenceLivetableResults` to apply the same changes as in the patch. See commit c8c6545f9bde6f5aade994aa5b5903a67b5c2582.
Configurations

No configuration.

History

20 Sep 2024, 12:30

Type Values Removed Values Added
Summary
  • (es) XWiki Platform es una plataforma wiki genérica que ofrece servicios de ejecución para aplicaciones creadas sobre ella. Es posible obtener acceso a los filtros de notificación de cualquier usuario mediante una URL como `xwiki/bin/get/XWiki/Notifications/Code/NotificationFilterPreferenceLivetableResults?outputSyntax=plain&amp;type=custom&amp;user=`. Esta vulnerabilidad afecta a todas las versiones de XWiki desde la 13.2-rc-1. Los filtros no proporcionan mucha información (principalmente contienen referencias que son datos públicos en XWiki), aunque parte de la información podría utilizarse en combinación con otras vulnerabilidades. Esta vulnerabilidad ha sido corregida en XWiki 14.10.21, 15.5.5, 15.10.1, 16.0RC1. El parche consiste en comprobar los derechos del usuario al enviar los datos. Se recomienda a los usuarios que actualicen la versión. Es posible solucionar la vulnerabilidad aplicando el parche manualmente: un administrador puede editar directamente el documento `XWiki.Notifications.Code.NotificationFilterPreferenceLivetableResults` para aplicar los mismos cambios que en el parche. Consulte el commit c8c6545f9bde6f5aade994aa5b5903a67b5c2582.

18 Sep 2024, 18:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-18 18:15

Updated : 2024-09-20 12:30


NVD link : CVE-2024-46979

Mitre link : CVE-2024-46979

CVE.ORG link : CVE-2024-46979


JSON object : View

Products Affected

No product.

CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-359

Exposure of Private Personal Information to an Unauthorized Actor