Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-pvmm-55r5-g3mm

GitHub Security Advisory

XWiki Platform document history including authors of any page exposed to unauthorized actors

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Impact
The REST API exposes the history of any page in XWiki of which the attacker knows the name. The exposed information includes for each modification of the page the time of the modification, the version number, the author of the modification (both username and displayed name) and the version comment. This information is exposed regardless of the rights setup, and even when the wiki is configured to be fully private.

On a private wiki, this can be tested by accessing `/xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/history`, if this shows the history of the main page then the installation is vulnerable.

### Patches
This has been patched in XWiki 15.10.9 and XWiki 16.3.0RC1.

### Workarounds
There aren't any known workarounds apart from upgrading to a fixed version.

### References
* https://jira.xwiki.org/browse/XWIKI-22052
* https://github.com/xwiki/xwiki-platform/commit/9cbca9808300797c67779bb9a665d85cf9e3d4b8

Affected Packages

Maven org.xwiki.platform:xwiki-platform-rest-server
Affected versions: 1.8.0 (fixed in 15.10.9)
Maven org.xwiki.platform:xwiki-platform-rest-server
Affected versions: 16.0.0-rc-1 (fixed in 16.3.0-rc-1)

Related CVEs

CVE-2024-45591

Key Information

GHSA ID
GHSA-pvmm-55r5-g3mm
Published
September 10, 2024 3:53 PM
Last Modified
September 10, 2024 7:01 PM
CVSS Score
5.0 /10
Primary Ecosystem
Maven
Primary Package
org.xwiki.platform:xwiki-platform-rest-server
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.