Back

CVE-2024-46978

Sept. 18, 2024, 6:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

XWiki Platform

  • 13.2-rc-1
  • 14.10.21
  • 15.5.5
  • 15.10.1
  • 16.0-rc-1

Source

security-advisories@github.com

Tags

security-advisories@github.com
2024-09-18
CVE-2024-46978
CWE-648

CVE-2024-46978 details

Published : Sept. 18, 2024, 6:15 p.m.
Last Modified : Sept. 18, 2024, 6:15 p.m.

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible for any user knowing the ID of a notification filter preference of another user, to enable/disable it or even delete it. The impact is that the target user might start loosing notifications on some pages because of this. This vulnerability is present in XWiki since 13.2-rc-1. This vulnerability has been patched in XWiki 14.10.21, 15.5.5, 15.10.1, 16.0-rc-1. The patch consists in checking properly the rights of the user before performing any action on the filters. Users are advised to upgrade. It's possible to fix manually the vulnerability by editing the document `XWiki.Notifications.Code.NotificationPreferenceService` to apply the changes performed in commit e8acc9d8e6af7dfbfe70716ded431642ae4a6dd4.

CVSS Score

1 2 3 4 5 6.5 7 8 9 10

Weakness

Weakness Name Description
CWE-648 Incorrect Use of Privileged APIs The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

6.5

Exploitability Score

2.8

Impact Score

3.6

Base Severity

MEDIUM

Vector String : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

URL Source
https://github.com/xwiki/xwiki-platform/commit/e8acc9d8e6af7dfbfe70716ded431642ae4a6dd4 security-advisories@github.com
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r95w-889q-x2gx security-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-20337 security-advisories@github.com
This website uses the NVD API, but is not approved or certified by it.