How severe is CVE-2024-46978?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.5 out of 10.

What type of vulnerability is CVE-2024-46978?

This is classified as CWE-648, which is a common weakness in software security.

CVE-2024-46978 - MEDIUM Severity | CVSS 6.5

Vulnerability Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible for any user knowing the ID of a notification filter preference of another user, to enable/disable it or even delete it. The impact is that the target user might start loosing notifications on some pages because of this. This vulnerability is present in XWiki since 13.2-rc-1. This vulnerability has been patched in XWiki 14.10.21, 15.5.5, 15.10.1, 16.0-rc-1. The patch consists in checking properly the rights of the user before performing any action on the filters. Users are advised to upgrade. It's possible to fix manually the vulnerability by editing the document `XWiki.Notifications.Code.NotificationPreferenceService` to apply the changes performed in commit e8acc9d8e6af7dfbfe70716ded431642ae4a6dd4.

Related Vulnerabilities

CVE-2020-7927

MEDIUM

CVSS:6.5(Medium)

Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions...

CWE-6482020

CVE-2023-20136

MEDIUM

CVSS:6.5(Medium)

A vulnerability in the OpenAPI of Cisco Secure Workload could allow an authenticated, remote attacker with the privileges of a read-only user to execute operations that should require Administrator pr...

CWE-6482023

CVE-2024-53007

MEDIUM

CVSS:6.4(Medium)

Bentley Systems ProjectWise Integration Server before 10.00.03.288 allows unintended SQL query execution by an authenticated user via an API call.

CWE-6482024

CVE-2022-24073

HIGH

CVSS:7.1(High)

The Web Request API in Whale browser before 3.12.129.18 allowed to deny access to the extension store or redirect to any URL when users access the store.

CWE-6482022

CVE-2023-29507

HIGH

CVSS:7.2(High)

XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in...

CWE-6482023

CVE-2023-4009

HIGH

CVSS:7.2(High)

In MongoDB Ops Manager v5.0 prior to 5.0.22 and v6.0 prior to 6.0.17 it is possible for an authenticated user with project owner or project user admin access to generate an API key with the privileges...

CWE-6482023