Incorrect Use of Privileged APIs in XWiki platform - CVE-2024-46978

 

Incorrect Use of Privileged APIs in XWiki platform - CVE-2024-46978

Published: September 18, 2024 / Updated: April 23, 2026


Vulnerability identifier: #VU126942
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-46978
CWE-ID: CWE-648
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote user to modify or delete another user's notification filter preferences.

The vulnerability exists due to improper access control in the notification preference service when handling requests to edit notification filter preferences. A remote user can send a request referencing the ID of another user's notification filter preference to modify or delete another user's notification filter preferences.

Exploitation requires knowledge of the ID of another user's notification filter preference.


How to mitigate CVE-2024-46978

Install security update from vendor's website.

Sources