-XWiki sites using the `modifications` REST endpoints do not filter entries based on the user's rights. This means that information such as comments, page names and edit logs are exposed to unauthorized users. Users should upgrade to XWiki 14.6+, 14.4.3+, or 13.10.8+. Older versions have not been patched. There are no known workarounds. *Affected endpoint: `/api/v1/rest/modifications`
What is XWiki?
XWiki is an open source wiki application that allows users to collaboratively create and edit online content. The application is written in Java, JavaScript and PHP. XWiki provides a platform for collaboration with its REST API which can be used to build applications that interact with the wiki from anywhere in the world.
Vulnerability Summary
-This vulnerability allows for unauthorized access of information about users, including comments, page names, and edit logs.
-The current version of XWiki does not filter entries based on user rights, which means that any information exposed by this vulnerability is available to unauthorized users.
-XWiki versions older than 14.6 are not patched and do not have a workaround.
XWiki Version Used in the Test Environment
XWiki 14.6+
XWiki 14.4.3+
XWiki 13.10.8+
How to check if you are affected?
To check if this vulnerability affects you, first use the `xwiki.config` file to locate your `XXWIKI_SECURITY_PASSWORD` value. If it is `null`, then the vulnerability does not affect you. If it contains a string, then proceed to the instructions below.
*Instructions for checking for affected endpoints:
- Login to your XWiki instance using a Web browser.
- Go to `/api/v1/rest/modifications` and look for any unauthorized comments in the page log of your site.
- Login to your XWiki instance using a Web browser and go to any page that has been edited by an unauthorized user (see note below). This will allow you to see which users have been editing your content without their rights.
Timeline
Published on: 11/22/2022 01:15:00 UTC
Last modified on: 11/28/2022 14:37:00 UTC