CVE-2024-45591

Exploit

EPSS 3.42%
Veröffentlicht 10.09.2024 16:15:21
Zuletzt bearbeitet 20.09.2024 19:55:54
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

XWiki Platform document history including authors of any page exposed to unauthorized actors

XWiki Platform is a generic wiki platform. The REST API exposes the history of any page in XWiki of which the attacker knows the name. The exposed information includes for each modification of the page the time of the modification, the version number, the author of the modification (both username and displayed name) and the version comment. This information is exposed regardless of the rights setup, and even when the wiki is configured to be fully private. On a private wiki, this can be tested by accessing /xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/history, if this shows the history of the main page then the installation is vulnerable. This has been patched in XWiki 15.10.9 and XWiki 16.3.0RC1.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Xwiki ≫ Xwiki Version >= 1.8 < 15.10.9

Xwiki ≫ Xwiki Version >= 16.0.0 < 16.3.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	3.42%	0.873

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
security-advisories@github.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-359 Exposure of Private Personal Information to an Unauthorized Actor

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/xwiki/xwiki-platform/commit/26482ee5d29fc21f31134d1ee13db48716e89e0f

Patch

https://github.com/xwiki/xwiki-platform/commit/9cbca9808300797c67779bb9a665d85cf9e3d4b8

Patch

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pvmm-55r5-g3mm

Vendor Advisory

https://jira.xwiki.org/browse/XWIKI-22052

Patch

Vendor Advisory

Exploit

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2024-45591

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-45591

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-45591

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-45591