CVE-2024-46979
org.xwiki.platform:xwiki-platform-notifications-ui leaks data of notification filters of users
Description
### Impact It's possible to get access to notification filters of any user by using a URL such as `<hostname>xwiki/bin/get/XWiki/Notifications/Code/NotificationFilterPreferenceLivetableResults?outputSyntax=plain&type=custom&user=<username>`. This vulnerability impacts all versions of XWiki since 13.2-rc-1. The filters do not provide much information (they mainly contain references which are public data in XWiki), though some info could be used in combination with other vulnerabilities. ### Patches The vulnerability has been patched in XWiki 14.10.21, 15.5.5, 15.10.1, 16.0RC1. The patch consists in checking the rights of the user when sending the data. ### Workarounds It's possible to workaround the vulnerability by applying manually the patch: it's possible for an administrator to edit directly the document `XWiki.Notifications.Code.NotificationFilterPreferenceLivetableResults` to apply the same changes as in the patch. See c8c6545f9bde6f5aade994aa5b5903a67b5c2582. ### References * Jira ticket: https://jira.xwiki.org/browse/XWIKI-20336 * Commit: c8c6545f9bde6f5aade994aa5b5903a67b5c2582 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org) ### Attribution This vulnerability has been reported on Intigriti by [Mete](https://www.linkedin.com/in/metehan-kalkan-5a3201199).
How to fix CVE-2024-46979
To remediate CVE-2024-46979, upgrade the affected package to a fixed version below.
- —upgrade to 14.10.21 or later
Is CVE-2024-46979 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 13.2-rc-1, < 14.10.21