XWiki Platform REST API Class Property Values Title Disclosure Vulnerability

A vulnerability exists in the XWiki Platform REST API for class property values, allowing for unauthorized access to the titles of pages with known references. This issue affects XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1. The vulnerability arises when an XClass with a page property is accessible, which is the default setting for XWiki installations. In such cases, an attacker can retrieve page titles one at a time by sending individual requests. While this vulnerability does not impact fully private wikis, where access rights are properly enforced, it can pose a significant risk in other contexts, particularly if page names are deliberately obfuscated to protect sensitive information.

Impact

Exploitation of this vulnerability allows for unauthorized access to page titles through the REST API, potentially disclosing sensitive information if titles are kept confidential.

Reproduction

To reproduce this vulnerability, create a page with a sensitive title and restrict view rights to admins. Then, as a user without admin rights, send a request to the REST API endpoint for class property values, specifying the page reference. The response will include the title, despite the lack of access rights.

Remediation

This vulnerability has been fixed in XWiki versions 16.4.7, 16.10.3, and 17.0.0. Users should upgrade to these versions.