Main Vulnerability Database Vulnerabilities #VU126942

#VU126942 Incorrect Use of Privileged APIs in XWiki platform - CVE-2024-46978

Published: September 18, 2024 / Updated: April 23, 2026

Vulnerability identifier: #VU126942

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-46978

CWE-ID: CWE-648

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
XWiki platform

Software vendor:
XWiki

Description

The vulnerability allows a remote user to modify or delete another user's notification filter preferences.

The vulnerability exists due to improper access control in the notification preference service when handling requests to edit notification filter preferences. A remote user can send a request referencing the ID of another user's notification filter preference to modify or delete another user's notification filter preferences.

Exploitation requires knowledge of the ID of another user's notification filter preference.

Remediation

Install security update from vendor's website.

External links

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r95w-889q-x2gx

#VU126942 Incorrect Use of Privileged APIs in XWiki platform - CVE-2024-46978

Description

Remediation

External links

Please verify you're human