CVE-2024-45591
Published: 10 September 2024
Summary
CVE-2024-45591 is a medium-severity Exposure of Private Personal Information to an Unauthorized Actor (CWE-359) vulnerability in Xwiki Xwiki. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
XWiki Platform's REST API contains an information disclosure vulnerability that exposes the full revision history of any page whose name is known to an attacker. The leaked data includes modification timestamps, version numbers, author usernames and display names, and version comments. This occurs irrespective of configured access controls and affects even fully private wiki instances. The issue impacts all versions prior to the patches released in XWiki 15.10.9 and 16.3.0RC1 and is tracked under CWE-359 and CWE-862 with a CVSS score of 5.3.
An unauthenticated attacker with network access to the XWiki instance can retrieve this metadata by directly requesting endpoints such as /xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/history. On a private wiki this allows enumeration of editing activity and contributor identities without any authentication or authorization checks, potentially aiding further targeted attacks or social-engineering efforts.
The official XWiki security advisory GHSA-pvmm-55r5-g3mm and the linked commits (26482ee and 9cbca98) confirm that the exposure is eliminated by upgrading to the fixed releases; no other workarounds are documented. The EPSS score has remained at its peak value of 0.8619 since disclosure, indicating sustained exploitation interest but no post-release climb from a low baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-2848
Vulnerability details
XWiki Platform is a generic wiki platform. The REST API exposes the history of any page in XWiki of which the attacker knows the name. The exposed information includes for each modification of the page the time of the modification,…
more
the version number, the author of the modification (both username and displayed name) and the version comment. This information is exposed regardless of the rights setup, and even when the wiki is configured to be fully private. On a private wiki, this can be tested by accessing /xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/history, if this shows the history of the main page then the installation is vulnerable. This has been patched in XWiki 15.10.9 and XWiki 16.3.0RC1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.
The privacy program plan explicitly addresses protection of personal information, mandating controls and resources that prevent unauthorized exposure of private personal data across the enterprise.
The control mandates an auditable trail specifically for private personal information, making unauthorized disclosures of PII more readily discoverable by the affected individual.
The board evaluates privacy implications of proposed matching, directly mitigating exposure of private personal information through uncontrolled data sharing.
Directly monitors compliance with mandates protecting personal information, making undetected exposure to unauthorized actors harder to sustain.
PII transparency and processing policy plus procedures reduce the chance of unauthorized exposure of private personal information.
Enforces restriction of PII processing to authorized purposes, reducing exposure of private personal information to unauthorized actors.
Mandating consent prior to collection directly prevents unauthorized exposure of private personal information.