Information disclosure in XWiki platform - CVE-2024-31464
Published: April 10, 2024 / Updated: May 5, 2026
Vulnerability identifier: #VU129904
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-31464
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: XWiki
Affected software:
XWiki platform
XWiki platform
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information in the diff feature of the history when viewing differences after deletion of an xobject holding password data. A remote privileged user can delete the xobject storing a password on a target page and use the diff feature to disclose sensitive information.
This can expose password hashes from user pages or other pages that store passwords in xobjects.
How to mitigate CVE-2024-31464
Install security update from vendor's website.