Main Vulnerability Database Vulnerabilities #VU125592

#VU125592 Missing Authorization in XWiki platform - CVE-2024-45591

Published: September 10, 2024 / Updated: April 9, 2026

Vulnerability identifier: #VU125592

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-45591

CWE-ID: CWE-862

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
XWiki platform

Software vendor:
XWiki

Description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper authorization in the REST API history endpoint when handling requests for page history. A remote attacker can request the history of any page whose name is known to disclose sensitive information.

The exposed history can include modification times, version numbers, author usernames and displayed names, and version comments, including on fully private wiki instances.

Remediation

Install security update from vendor's website.

#VU125592 Missing Authorization in XWiki platform - CVE-2024-45591

Description

Remediation

External links

Please verify you're human