CVE-2024-46979

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 13.2-rc-1 through 14.10.20 XWiki Platform versions 15.0.0 through 15.5.4 XWiki Platform versions 15.10.0 XWiki Platform versions 16.0.0 before 16.0RC1

Description The issue allows access to notification filters of any user by using a URL such as <hostname>xwiki/bin/get/XWiki/Notifications/Code/NotificationFilterPreferenceLivetableResults?outputSyntax=plain&type=custom&user=<username>. The filters mainly contain references which are public data in XWiki, but some information could be used in combination with other vulnerabilities.

Recommendations For XWiki Platform versions 13.2-rc-1 through 14.10.20, upgrade to version 14.10.21 or later. For XWiki Platform versions 15.0.0 through 15.5.4, upgrade to version 15.5.5 or later. For XWiki Platform version 15.10.0, upgrade to version 15.10.1 or later. For XWiki Platform versions 16.0.0 before 16.0RC1, upgrade to version 16.0RC1 or later. As a temporary workaround, an administrator can edit directly the document XWiki.Notifications.Code.NotificationFilterPreferenceLivetableResults to apply the same changes as in the patch.