### Impact
The `modifications` rest endpoint does not filter out entries according to the user's rights. Therefore, information hidden from unauthorized users are exposed though the `modifications` rest endpoint (e.g., comments, page names...).

### Patches
Users should upgrade to XWiki 14.6+, 14.4.3+, or13.10.8+. Older versions have not been patched.

### Workarounds
No known workaround.

### References

- Patch: https://github.com/xwiki/xwiki-platform/commit/38dc1aa1a4435f24d58f5b8e4566cbcb0971f8ff
- Jira issue: https://jira.xwiki.org/browse/XWIKI-19997

### For more information
If you have any questions or comments about this advisory:

- Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)
- Email us at [Security Mailing List](mailto:[email protected])

Affected Packages

Maven org.xwiki.platform:xwiki-platform-rest-server

Affected versions: 8.1 (fixed in 13.10.8)

Maven org.xwiki.platform:xwiki-platform-rest-server

Affected versions: 14.0.0 (fixed in 14.4.3)

Maven org.xwiki.platform:xwiki-platform-rest-server

Affected versions: 14.5.0 (fixed in 14.6)

Related CVEs

CVE-2022-41936

Key Information

GHSA ID

GHSA-p88w-fhxw-xvcc

Published

November 21, 2022 11:25 PM

Last Modified

November 28, 2022 3:50 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.xwiki.platform:xwiki-platform-rest-server

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.