CVE-2024-46978
📋 TL;DR
This vulnerability in XWiki Platform allows any authenticated user to manipulate another user's notification filter preferences by knowing the filter ID. Attackers can enable, disable, or delete notification filters, causing the target user to miss important notifications about page changes. All XWiki installations from version 13.2-rc-1 are affected until patched.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Malicious users could systematically disable all notification filters for administrators or key personnel, causing them to miss critical security alerts, content changes, or collaboration updates, potentially leading to security incidents going unnoticed.
Likely Case
Users lose notifications about page edits, comments, or other activities they were monitoring, disrupting collaboration workflows and potentially causing missed important updates.
If Mitigated
With proper access controls and monitoring, impact is limited to notification disruption rather than data compromise or system takeover.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of target user's notification filter IDs, which could potentially be enumerated or guessed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.10.21, 15.5.5, 15.10.1, 16.0-rc-1
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r95w-889q-x2gx
Restart Required: Yes
Instructions:
1. Backup your XWiki installation. 2. Upgrade to a patched version: 14.10.21, 15.5.5, 15.10.1, or 16.0-rc-1. 3. Restart the XWiki application server. 4. Verify the patch is applied by checking the version.
🔧 Temporary Workarounds
Manual code patch
allApply the security fix manually by editing the vulnerable document with the changes from the official commit.
Edit document XWiki.Notifications.Code.NotificationPreferenceService with changes from commit e8acc9d8e6af7dfbfe70716ded431642ae4a6dd4
🧯 If You Can't Patch
- Implement strict access controls to limit who can access notification preference APIs.
- Monitor logs for unusual notification filter modification patterns and alert on suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check XWiki version via Administration → About XWiki. If version is between 13.2-rc-1 and 14.10.20, or between 15.0.0 and 15.5.4, or between 15.6.0 and 15.10.0, the system is vulnerable.Check Version:
Check via XWiki web interface: Administration → About XWiki, or check xwiki.cfg/xwiki.properties version settings.Verify Fix Applied:
After patching, verify version shows 14.10.21, 15.5.5, 15.10.1, or 16.0-rc-1 in Administration → About XWiki. Test that users cannot modify other users' notification filters.📡 Detection & Monitoring
Log Indicators:
- Unusual patterns of notification filter modifications
- Multiple filter changes from single user in short time
- Filter modifications targeting administrative users
Network Indicators:
- API calls to notification preference endpoints with different user IDs than authenticated user
SIEM Query:
source="xwiki" AND (event="notification_filter_modification" OR api_endpoint="/xwiki/rest/notifications/preferences") AND user_id!=target_user_id