CVE-2024-46978: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform offering runtime services for applications, contains a vulnerability that allows any user knowing the ID of a notification filter preference of another user to enable/disable it or delete it. This vulnerability (CVE-2024-46978) has been present since version 13.2-rc-1 and has been patched in versions 14.10.21, 15.5.5, 15.10.1, and 16.0-rc-1 (GitHub Advisory).

The vulnerability is classified as a Moderate severity issue with a CVSS v3.1 base score of 6.5 (MEDIUM). The CVSS vector is AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, indicating network accessibility, low attack complexity, low privileges required, no user interaction needed, unchanged scope, no impact on confidentiality, high impact on integrity, and no impact on availability. The vulnerability is categorized under CWE-648 (Incorrect Use of Privileged APIs) (GitHub Advisory).

The primary impact of this vulnerability is that targeted users might start losing notifications on some pages due to unauthorized modification of their notification filter preferences. An attacker can manipulate another user's notification settings by enabling, disabling, or deleting their notification filter preferences without proper authorization (GitHub Advisory).

The vulnerability has been patched in XWiki versions 14.10.21, 15.5.5, 15.10.1, and 16.0-rc-1. The patch implements proper rights checking before performing any actions on the filters. As a workaround, administrators can manually fix the vulnerability by editing the document XWiki.Notifications.Code.NotificationPreferenceService to apply the changes from commit e8acc9d8e6af7dfbfe70716ded431642ae4a6dd4 (GitHub Advisory).