CVE-2023-37911

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 9.4-rc-1 through 14.10.7 XWiki Platform versions 15.3-rc-1 and earlier

Description The issue arises when a document has been deleted and re-created, allowing users with view rights on the re-created document but not on the deleted document to view the contents of the deleted document. This can be exploited through the diff feature and partially through the REST API by using versions such as deleted:1. Given sufficient rights, the attacker can also re-create the deleted document, extending the scope to any deleted document as long as the attacker has edit rights in the location of the deleted document.

Recommendations For XWiki Platform versions 9.4-rc-1 through 14.10.7, update to version 14.10.8 to properly check rights when deleted revisions of a document are accessed. For XWiki Platform versions 15.3-rc-1 and earlier, update to version 15.3 RC1 to properly check rights when deleted revisions of a document are accessed. As a temporary workaround, consider regularly cleaning deleted documents to minimize the potential exposure. Extra care should be taken when deleting sensitive documents that are protected individually or deleting a protected space as a whole.