CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-46978 – Missing checks for notification filter preferences editions in XWiki Platform
https://notcve.org/view.php?id=CVE-2024-46978
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible for any user knowing the ID of a notification filter preference of another user, to enable/disable it or even delete it. The impact is that the target user might start loosing notifications on some pages because of this. This vulnerability is present in XWiki since 13.2-rc-1. This vulnerability has been patched in XWiki 14.10.21, 15.5.5, 15.10.1, 16.0-rc-1. • https://github.com/xwiki/xwiki-platform/commit/e8acc9d8e6af7dfbfe70716ded431642ae4a6dd4 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r95w-889q-x2gx https://jira.xwiki.org/browse/XWIKI-20337 • CWE-648: Incorrect Use of Privileged APIs •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-46979 – Data leak of notification filters of users in XWiki Platform
https://notcve.org/view.php?id=CVE-2024-46979
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to get access to notification filters of any user by using a URL such as `<hostname>xwiki/bin/get/XWiki/Notifications/Code/NotificationFilterPreferenceLivetableResults?outputSyntax=plain&type=custom&user=<username>`. This vulnerability impacts all versions of XWiki since 13.2-rc-1. The filters do not provide much information (they mainly contain references which are public data in XWiki), though some info could be used in combination with other vulnerabilities. • https://github.com/xwiki/xwiki-platform/commit/c8c6545f9bde6f5aade994aa5b5903a67b5c2582 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pg4m-3gp6-hw4w https://jira.xwiki.org/browse/XWIKI-20336 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-45591 – XWiki Platform document history including authors of any page exposed to unauthorized actors
https://notcve.org/view.php?id=CVE-2024-45591
XWiki Platform is a generic wiki platform. The REST API exposes the history of any page in XWiki of which the attacker knows the name. The exposed information includes for each modification of the page the time of the modification, the version number, the author of the modification (both username and displayed name) and the version comment. This information is exposed regardless of the rights setup, and even when the wiki is configured to be fully private. On a private wiki, this can be tested by accessing /xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/history, if this shows the history of the main page then the installation is vulnerable. • https://github.com/xwiki/xwiki-platform/commit/26482ee5d29fc21f31134d1ee13db48716e89e0f https://github.com/xwiki/xwiki-platform/commit/9cbca9808300797c67779bb9a665d85cf9e3d4b8 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pvmm-55r5-g3mm https://jira.xwiki.org/browse/XWIKI-22052 • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2024-43400 – XWiki Platform allows XSS through XClass name in string properties
https://notcve.org/view.php?id=CVE-2024-43400
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0. • https://github.com/xwiki/xwiki-platform/commit/27eca8423fc1ad177518077a733076821268509c https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wcg9-pgqv-xm5v https://jira.xwiki.org/browse/XWIKI-21810 • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43401 – In XWiki Platform, payloads stored in content is executed when a user with script/programming right edit them
https://notcve.org/view.php?id=CVE-2024-43401
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user without script/programming right can trick a user with elevated rights to edit a content with a malicious payload using a WYSIWYG editor. The user with elevated rights is not warned beforehand that they are going to edit possibly dangerous content. The payload is executed at edit time. This vulnerability has been patched in XWiki 15.10RC1. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f963-4cq8-2gw7 https://jira.xwiki.org/browse/XWIKI-20331 https://jira.xwiki.org/browse/XWIKI-21311 https://jira.xwiki.org/browse/XWIKI-21481 https://jira.xwiki.org/browse/XWIKI-21482 https://jira.xwiki.org/browse/XWIKI-21483 https://jira.xwiki.org/browse/XWIKI-21484 https://jira.xwiki.org/browse/XWIKI-21485 https://jira.xwiki.org/browse/XWIKI-21486 https://jira.xwiki.org/browse/XWIKI-21487 https:/&#x • CWE-269: Improper Privilege Management •