CVE-2022-41936 – org.xwiki.platform:xwiki-platform-rest-server

Package

Manager: maven
Name: org.xwiki.platform:xwiki-platform-rest-server
Vulnerable Version: >=8.1 <13.10.8 || >=14.0.0 <14.4.3 || >=14.5.0 <14.6

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00524 pctl0.66004

Details

Exposure of Private Personal Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-rest-server ### Impact The `modifications` rest endpoint does not filter out entries according to the user's rights. Therefore, information hidden from unauthorized users are exposed though the `modifications` rest endpoint (e.g., comments, page names...). ### Patches Users should upgrade to XWiki 14.6+, 14.4.3+, or13.10.8+. Older versions have not been patched. ### Workarounds No known workaround. ### References - Patch: https://github.com/xwiki/xwiki-platform/commit/38dc1aa1a4435f24d58f5b8e4566cbcb0971f8ff - Jira issue: https://jira.xwiki.org/browse/XWIKI-19997 ### For more information If you have any questions or comments about this advisory: - Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) - Email us at [Security Mailing List](mailto:security@xwiki.org)

Metadata

Created: 2022-11-21T23:25:00Z
Modified: 2022-11-28T15:50:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-p88w-fhxw-xvcc/GHSA-p88w-fhxw-xvcc.json
CWE IDs: ["CWE-359"]
Alternative ID: GHSA-p88w-fhxw-xvcc
Finding: F038
Auto approve: 1