GHSA-pg4m-3gp6-hw4w
GitHub Security Advisory
org.xwiki.platform:xwiki-platform-notifications-ui leaks data of notification filters of users
Advisory Details
### Impact
It's possible to get access to notification filters of any user by using a URL such as `<hostname>xwiki/bin/get/XWiki/Notifications/Code/NotificationFilterPreferenceLivetableResults?outputSyntax=plain&type=custom&user=<username>`. This vulnerability impacts all versions of XWiki since 13.2-rc-1.
The filters do not provide much information (they mainly contain references which are public data in XWiki), though some info could be used in combination with other vulnerabilities.
### Patches
The vulnerability has been patched in XWiki 14.10.21, 15.5.5, 15.10.1, 16.0RC1.
The patch consists in checking the rights of the user when sending the data.
### Workarounds
It's possible to workaround the vulnerability by applying manually the patch: it's possible for an administrator to edit directly the document `XWiki.Notifications.Code.NotificationFilterPreferenceLivetableResults` to apply the same changes as in the patch. See c8c6545f9bde6f5aade994aa5b5903a67b5c2582.
### References
* Jira ticket: https://jira.xwiki.org/browse/XWIKI-20336
* Commit: c8c6545f9bde6f5aade994aa5b5903a67b5c2582
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)
* Email us at [Security Mailing List](mailto:[email protected])
### Attribution
This vulnerability has been reported on Intigriti by [Mete](https://www.linkedin.com/in/metehan-kalkan-5a3201199).
Affected Packages
Related CVEs
Key Information
Dataset
Data from GitHub Advisory Database. This information is provided for research and educational purposes.