CVE-2024-45591: 
Java vulnerability analysis and mitigation

The REST API in XWiki Platform versions from 1.8 to 15.10.9 and 16.0.0-rc-1 to 16.3.0-rc-1 contains a vulnerability that exposes page history information to unauthorized users. The vulnerability allows attackers to access the modification history of any page in XWiki if they know the page name, regardless of access rights or privacy settings (GitHub Advisory).

The vulnerability affects two REST API endpoints: '/wikis/{wikiName}/spaces/{spaceName}/pages/{pageName}/history' and '/wikis/{wikiName}/spaces/{spaceName}/pages/{pageName}/translations/{language}/history'. The issue stems from a missing authorization check when accessing page history information. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with low attack complexity and no required privileges or user interaction (NVD).

When exploited, the vulnerability allows unauthorized access to page modification history, including sensitive metadata such as modification timestamps, version numbers, usernames, display names of authors, and version comments. This information disclosure occurs even when the wiki is configured to be fully private (GitHub Advisory).

The vulnerability has been patched in XWiki versions 15.10.9 and 16.3.0RC1. There are no known workarounds apart from upgrading to a fixed version (GitHub Advisory).