CVE-2024-46979: org.xwiki.platform:xwiki-platform-notifications-ui leaks data of notification filters of users
It’s possible to get access to notification filters of any user by using a URL such as <hostname>xwiki/bin/get/XWiki/Notifications/Code/NotificationFilterPreferenceLivetableResults?outputSyntax=plain&type=custom&user=<username>. This vulnerability impacts all versions of XWiki since 13.2-rc-1.
The filters do not provide much information (they mainly contain references which are public data in XWiki), though some info could be used in combination with other vulnerabilities.
References
- github.com/advisories/GHSA-pg4m-3gp6-hw4w
- github.com/xwiki/xwiki-platform
- github.com/xwiki/xwiki-platform/commit/29e5edbb2b7068ada17290cea41e0aa8144e1294
- github.com/xwiki/xwiki-platform/commit/a0352922a1a61e0e858a9be89d73f0665630a63a
- github.com/xwiki/xwiki-platform/commit/c8c6545f9bde6f5aade994aa5b5903a67b5c2582
- github.com/xwiki/xwiki-platform/commit/ed090d1aa228848d3860968c437b72db3b09119f
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-pg4m-3gp6-hw4w
- jira.xwiki.org/browse/XWIKI-20336
- nvd.nist.gov/vuln/detail/CVE-2024-46979
Detect and mitigate CVE-2024-46979 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →