PT-2024-32313 · Xwiki · Xwiki Platform
Floerer
·
Published
2022-11-03
·
Updated
2025-02-07
·
CVE-2024-46978
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
XWiki Platform versions 13.2-rc-1 through 14.10.20
XWiki Platform versions 15.0.0 through 15.5.4
XWiki Platform versions 15.10.0
Description
The issue allows any user knowing the ID of a notification filter preference of another user to enable, disable, or delete it. This could cause the target user to lose notifications on some pages. The patch for this issue involves checking the rights of the user before performing any action on the filters.
Recommendations
For XWiki Platform versions 13.2-rc-1 through 14.10.20, upgrade to version 14.10.21 or later.
For XWiki Platform versions 15.0.0 through 15.5.4, upgrade to version 15.5.5 or later.
For XWiki Platform versions 15.10.0, upgrade to version 15.10.1 or later.
As a temporary workaround, consider editing the document
XWiki.Notifications.Code.NotificationPreferenceService to apply the changes performed in commit e8acc9d8e6af7dfbfe70716ded431642ae4a6dd4.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Xwiki Platform