Oanalavinia

**Name of the Vulnerable Software and Affected Versions** XWiki Application Licensing versions prior to 1.24.2 **Description** The XWiki licensor application includes a public document `Licenses.Code.LicenseJSON` that exposes sensitive information, including the instance's id, first and last name, and email of the license owner. This information leak can be used for targeted phishing attacks. The instance id can be associated with active installs data, and email addresses might be displayed obfuscated depending on the configuration. **Recommendations** For versions prior to 1.24.2, upgrade to Application Licensing 1.24.2 to fix the issue. There are no known workarounds besides upgrading. As a temporary workaround, consider restricting access to the `Licenses.Code.LicenseJSON` document until the upgrade is applied.