logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-46979 org.xwiki.platform:xwiki-platform-notifications-ui

Package

Manager: maven
Name: org.xwiki.platform:xwiki-platform-notifications-ui
Vulnerable Version: >=13.2-rc-1 <14.10.21 || >=15.0-rc-1 <15.5.5 || >=15.6-rc-1 <15.10.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00026 pctl0.0549

Details

org.xwiki.platform:xwiki-platform-notifications-ui leaks data of notification filters of users ### Impact It's possible to get access to notification filters of any user by using a URL such as `<hostname>xwiki/bin/get/XWiki/Notifications/Code/NotificationFilterPreferenceLivetableResults?outputSyntax=plain&type=custom&user=<username>`. This vulnerability impacts all versions of XWiki since 13.2-rc-1. The filters do not provide much information (they mainly contain references which are public data in XWiki), though some info could be used in combination with other vulnerabilities. ### Patches The vulnerability has been patched in XWiki 14.10.21, 15.5.5, 15.10.1, 16.0RC1. The patch consists in checking the rights of the user when sending the data. ### Workarounds It's possible to workaround the vulnerability by applying manually the patch: it's possible for an administrator to edit directly the document `XWiki.Notifications.Code.NotificationFilterPreferenceLivetableResults` to apply the same changes as in the patch. See c8c6545f9bde6f5aade994aa5b5903a67b5c2582. ### References * Jira ticket: https://jira.xwiki.org/browse/XWIKI-20336 * Commit: c8c6545f9bde6f5aade994aa5b5903a67b5c2582 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org) ### Attribution This vulnerability has been reported on Intigriti by [Mete](https://www.linkedin.com/in/metehan-kalkan-5a3201199).

Metadata

Created: 2024-09-18T14:26:20Z
Modified: 2024-09-18T19:23:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-pg4m-3gp6-hw4w/GHSA-pg4m-3gp6-hw4w.json
CWE IDs: ["CWE-200", "CWE-359"]
Alternative ID: GHSA-pg4m-3gp6-hw4w
Finding: F038
Auto approve: 1