CVE-2024-45591: Open REST API History Disclosure in XWiki (<15.10.9)
CVE-2024-45591 Published on September 10, 2024
XWiki Platform document history including authors of any page exposed to unauthorized actors
XWiki Platform is a generic wiki platform. The REST API exposes the history of any page in XWiki of which the attacker knows the name. The exposed information includes for each modification of the page the time of the modification, the version number, the author of the modification (both username and displayed name) and the version comment. This information is exposed regardless of the rights setup, and even when the wiki is configured to be fully private. On a private wiki, this can be tested by accessing /xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/history, if this shows the history of the main page then the installation is vulnerable. This has been patched in XWiki 15.10.9 and XWiki 16.3.0RC1.
Vulnerability Analysis
CVE-2024-45591 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Types
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2024-45591 has been classified to as an AuthZ vulnerability or weakness.
What is a Privacy violation Vulnerability?
The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
CVE-2024-45591 has been classified to as a Privacy violation vulnerability or weakness.
Products Associated with CVE-2024-45591
Want to know whenever a new CVE is published for Xwiki? stack.watch will email you.
Affected Versions
xwiki-platform:- Version >= 1.8.0, < 15.10.9 is affected.
- Version >= 16.0.0-rc-1, < 16.3.0-rc-1 is affected.
- Version 1.8.0, and below 15.10.9 is affected.
- Version 16.0.0-rc-1 and below 16.3.0-rc-1 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2024-45591
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | org.xwiki.platform:xwiki-platform-rest-server | >= 1.8.0, < 15.10.9 | 15.10.9 |
| maven | org.xwiki.platform:xwiki-platform-rest-server | >= 16.0.0-rc-1, < 16.3.0-rc-1 | 16.3.0-rc-1 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.