Fabian Hafner

**Name of the Vulnerable Software and Affected Versions** XWiki Commons versions prior to 13.10.10 XWiki Commons versions prior to 14.4.4 XWiki Commons versions prior to 14.8RC1 **Description** It is possible to bypass the existing security measures put in place to avoid open redirect by using a redirect such as `//mydomain.com` (i.e. omitting the `http:`) or a URL such as `http:/mydomain.com`. **Recommendations** For versions prior to 13.10.10, update to version 13.10.10 or later. For versions prior to 14.4.4, update to version 14.4.4 or later. For versions prior to 14.8RC1, update to version 14.8RC1 or later. As a temporary workaround, consider providing a patched jar of xwiki-platform-oldcore containing the necessary changes.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 13.10.8 XWiki Platform versions prior to 14.4.3 XWiki Platform versions prior to 14.6 **Description** The `modifications` rest endpoint does not filter out entries according to the user's rights, exposing information hidden from unauthorized users, such as comments and page names. **Recommendations** For versions prior to 13.10.8, upgrade to XWiki 13.10.8 or later. For versions prior to 14.4.3, upgrade to XWiki 14.4.3 or later. For versions prior to 14.6, upgrade to XWiki 14.6 or later.