Missing Authorization in XWiki platform - CVE-2024-45591

 

Missing Authorization in XWiki platform - CVE-2024-45591

Published: September 10, 2024 / Updated: April 9, 2026


Vulnerability identifier: #VU125592
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-45591
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper authorization in the REST API history endpoint when handling requests for page history. A remote attacker can request the history of any page whose name is known to disclose sensitive information.

The exposed history can include modification times, version numbers, author usernames and displayed names, and version comments, including on fully private wiki instances.


How to mitigate CVE-2024-45591

Install security update from vendor's website.

Sources