XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API

XWiki is a generic wiki platform. In versions starting from 1.8.1 to before 14.10.22, from 15.0-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.7.0, anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. There is no filtering for the results depending on current user rights, meaning an unauthenticated user could exploit this even in a private wiki. This issue has been patched in versions 14.10.22, 15.10.12, 16.4.3, and 16.7.0.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

授权机制缺失

XWiki Platform 安全漏洞

XWiki Platform是XWiki开源的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform存在安全漏洞，该漏洞源于附件元数据访问控制不当，可能导致信息泄露。以下版本受到影响：1.8.1至14.10.22之前版本、15.0-rc-1至15.10.12之前版本、16.0.0-rc-1至16.4.3之前版本和16.5.0-rc-1至16.7.0之前版本。

N/A

N/A