CVE-2024-26138: 
Java vulnerability analysis and mitigation

The XWiki licensor application, which manages and enforces application licenses for paid extensions, contains a vulnerability (CVE-2024-26138) discovered in February 2024. The vulnerability exists in the document Licenses.Code.LicenseJSON that provides information for administrators regarding active licenses. This document is publicly accessible and exposes sensitive information including instance IDs, license owner details (first name, last name, and email) (GitHub Advisory).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 base score of 5.3 (Medium). The vulnerability affects all versions of the XWiki Application Licensing from version 1.0 up to (excluding) 1.24.2. The technical issue stems from improper access control where license information that should be restricted to administrators is publicly accessible (NVD).

The exposure of this information has multiple security implications. First, the instance ID can be used to associate data with specific XWiki instances, compromising the anonymity promised by the active installs feature. Additionally, the exposed license owner information, including email addresses that might normally be obfuscated, can be leveraged for targeted phishing attacks (GitHub Advisory).

The vulnerability has been fixed in Application Licensing version 1.24.2. There are no known workarounds besides upgrading to the patched version. Organizations using affected versions should update their installations immediately (GitHub Advisory).