5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-45591

GHSA ID

GHSA-pvmm-55r5-g3mm

EPSS Score

0.97632%

CWE

CWE-359

Published

9/10/2024

Updated

9/10/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-45591

CVE-2024-45591: XWiki Platform document history including authors of any page exposed to unauthorized actors

Impact

The REST API exposes the history of any page in XWiki of which the attacker knows the name. The exposed information includes for each modification of the page the time of the modification, the version number, the author of the modification (both username and displayed name) and the version comment. This information is exposed regardless of the rights setup, and even when the wiki is configured to be fully private.

On a private wiki, this can be tested by accessing /xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/history, if this shows the history of the main page then the installation is vulnerable.

Patches

This has been patched in XWiki 15.10.9 and XWiki 16.3.0RC1.

Workarounds

There aren't any known workarounds apart from upgrading to a fixed version.

References

https://jira.xwiki.org/browse/XWIKI-22052
https://github.com/xwiki/xwiki-platform/commit/9cbca9808300797c67779bb9a665d85cf9e3d4b8

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-45591

CVE-2024-45591:

5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-45591

GHSA ID

GHSA-pvmm-55r5-g3mm

EPSS Score

0.97632%

CWE

CWE-359

Published

9/10/2024

Updated

9/10/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-rest-server	maven	>= 1.8.0, < 15.10.9	15.10.9
org.xwiki.platform:xwiki-platform-rest-server	maven	>= 16.0.0-rc-1, < 16.3.0-rc-1	16.3.0-rc-1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing authorization checks in REST API handlers for page history endpoints. The commit diffs show both functions were modified to add ContextualAuthorizationManager checks for VIEW rights, which were absent in vulnerable versions. The JIRA ticket XWIKI-22052 explicitly identifies these endpoints as problematic, and the CWE-862 (Missing Authorization) classification confirms the lack of permission validation in these functions. Unit tests added in the commit verify authorization enforcement, further confirming these were the vulnerable entry points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-45591: XWiki Platform document history including authors of any page exposed to unauthorized actors

Impact

Patches

Workarounds

References

CVE-2024-45591:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

5.3

5.3

CVE-2024-45591: XWiki Platform document history including authors of any page exposed to unauthorized actors

Impact

Patches

Workarounds

References

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI