CVE-2024-26138

Name of the Vulnerable Software and Affected Versions XWiki Application Licensing versions prior to 1.24.2

Description The XWiki licensor application includes a public document Licenses.Code.LicenseJSON that exposes sensitive information, including the instance's id, first and last name, and email of the license owner. This information leak can be used for targeted phishing attacks. The instance id can be associated with active installs data, and email addresses might be displayed obfuscated depending on the configuration.

Recommendations For versions prior to 1.24.2, upgrade to Application Licensing 1.24.2 to fix the issue. There are no known workarounds besides upgrading. As a temporary workaround, consider restricting access to the Licenses.Code.LicenseJSON document until the upgrade is applied.