CVE-2024-45591

Name of the Vulnerable Software and Affected Versions XWiki versions prior to 15.10.9 XWiki versions prior to 16.3.0RC1

Description The XWiki Platform, a generic wiki platform, has an issue where its REST API exposes the history of any page if an attacker knows the page name. The exposed information includes the time of modification, version number, author (username and displayed name), and version comment for each page modification. This disclosure occurs regardless of permission settings, even on fully private wikis. The issue can be tested by accessing the /xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/history API endpoint. If the history of the main page is displayed, the installation is affected.

Recommendations For XWiki versions prior to 15.10.9, upgrade to version 15.10.9 or later. For XWiki versions prior to 16.3.0RC1, upgrade to version 16.3.0RC1 or later.