#VU126943 Exposure of Private Information ('Privacy Violation') in XWiki platform - CVE-2024-46979
Published: September 18, 2024 / Updated: April 23, 2026
Vulnerability identifier: #VU126943
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-46979
CWE-ID: CWE-359
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote attacker to disclose notification filters of arbitrary users.
The vulnerability exists due to improper access control in the NotificationFilterPreferenceLivetableResults endpoint when handling crafted requests that specify a target user. A remote attacker can send a specially crafted request with the user parameter to disclose notification filters of arbitrary users.
The exposed filters mainly contain references that are public data in XWiki, but the disclosed information could be useful when combined with other vulnerabilities.
Remediation
Install security update from vendor's website.