CVE-2024-26138: CWE-862: Missing Authorization in xwikisas application-licensing
The XWiki licensor application, which manages and enforce application licenses for paid extensions, includes the document `Licenses.Code.LicenseJSON` that provides information for admins regarding active licenses. This document is public and thus exposes this information publicly. The information includes the instance's id as well as first and last name and email of the license owner. This is a leak of information that isn't supposed to be public. The instance id allows associating data on the active installs data with the concrete XWiki instance. Active installs assures that "there's no way to find who's having a given UUID" (referring to the instance id). Further, the information who the license owner is and information about the obtained licenses can be used for targeted phishing attacks. Also, while user information is normally public, email addresses might only be displayed obfuscated, depending on the configuration. This has been fixed in Application Licensing 1.24.2. There are no known workarounds besides upgrading.
AI Analysis
Technical Summary
CVE-2024-26138 is a medium-severity vulnerability classified under CWE-862 (Missing Authorization) affecting the XWiki application-licensing component, specifically versions from 1.0 up to but not including 1.24.2. The vulnerability arises because the document `Licenses.Code.LicenseJSON`, which contains sensitive licensing information, is publicly accessible without proper authorization controls. This document exposes the instance ID of the XWiki installation along with personally identifiable information (PII) of the license owner, including their first and last names and email addresses. Normally, such information is intended only for administrators and should not be publicly available. The instance ID is a unique identifier that can be correlated with active install data, which is supposed to be anonymized to prevent tracing back to specific users or organizations. The exposure of license owner details and instance IDs can facilitate targeted phishing campaigns and social engineering attacks against the affected organizations. Although user information is generally public in XWiki, email addresses may be obfuscated depending on configuration; however, this vulnerability bypasses such protections by making the license document fully public. The issue has been resolved in version 1.24.2 of the application-licensing component. No known exploits are currently reported in the wild, and no alternative mitigations exist aside from upgrading to the fixed version. This vulnerability does not require authentication or user interaction to exploit, as the document is publicly accessible by design due to missing authorization checks.
Potential Impact
For European organizations using XWiki with the vulnerable application-licensing versions, this vulnerability poses a significant privacy and security risk. The leakage of license owner PII and instance IDs can lead to targeted phishing attacks, potentially compromising user credentials or enabling further intrusion attempts. The correlation of instance IDs with active install data undermines the anonymity assurances provided by XWiki, potentially exposing organizational usage patterns and license details to unauthorized parties. This could lead to reputational damage, especially for organizations subject to strict data protection regulations such as GDPR. Additionally, attackers could leverage the exposed information to craft convincing spear-phishing campaigns aimed at administrative personnel, increasing the risk of credential theft or malware deployment. While the vulnerability does not directly allow system compromise or data manipulation, the indirect risks through social engineering and privacy violations are notable. The impact is heightened for organizations with sensitive or critical deployments of XWiki, including government agencies, research institutions, and enterprises relying on paid extensions managed by the licensing component.
Mitigation Recommendations
The primary and only effective mitigation is to upgrade the XWiki application-licensing component to version 1.24.2 or later, where the missing authorization check has been implemented. Organizations should prioritize this upgrade in their patch management cycles. Additionally, administrators should audit their public-facing XWiki instances to verify that sensitive documents like `Licenses.Code.LicenseJSON` are not accessible without proper authorization. If upgrading immediately is not feasible, organizations should consider restricting access to the affected document via web server configuration or firewall rules to limit exposure to trusted IP ranges or authenticated users only. Monitoring access logs for unusual or repeated requests to this document can help detect potential reconnaissance attempts. Furthermore, organizations should educate their users, especially license owners and administrators, about the increased risk of phishing attacks stemming from this vulnerability and reinforce phishing awareness training. Finally, reviewing and tightening overall access control policies within XWiki and ensuring that sensitive information is not inadvertently exposed publicly will help reduce similar risks.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Belgium, Italy, Spain, Poland, Finland
CVE-2024-26138: CWE-862: Missing Authorization in xwikisas application-licensing
Description
The XWiki licensor application, which manages and enforce application licenses for paid extensions, includes the document `Licenses.Code.LicenseJSON` that provides information for admins regarding active licenses. This document is public and thus exposes this information publicly. The information includes the instance's id as well as first and last name and email of the license owner. This is a leak of information that isn't supposed to be public. The instance id allows associating data on the active installs data with the concrete XWiki instance. Active installs assures that "there's no way to find who's having a given UUID" (referring to the instance id). Further, the information who the license owner is and information about the obtained licenses can be used for targeted phishing attacks. Also, while user information is normally public, email addresses might only be displayed obfuscated, depending on the configuration. This has been fixed in Application Licensing 1.24.2. There are no known workarounds besides upgrading.
AI-Powered Analysis
Technical Analysis
CVE-2024-26138 is a medium-severity vulnerability classified under CWE-862 (Missing Authorization) affecting the XWiki application-licensing component, specifically versions from 1.0 up to but not including 1.24.2. The vulnerability arises because the document `Licenses.Code.LicenseJSON`, which contains sensitive licensing information, is publicly accessible without proper authorization controls. This document exposes the instance ID of the XWiki installation along with personally identifiable information (PII) of the license owner, including their first and last names and email addresses. Normally, such information is intended only for administrators and should not be publicly available. The instance ID is a unique identifier that can be correlated with active install data, which is supposed to be anonymized to prevent tracing back to specific users or organizations. The exposure of license owner details and instance IDs can facilitate targeted phishing campaigns and social engineering attacks against the affected organizations. Although user information is generally public in XWiki, email addresses may be obfuscated depending on configuration; however, this vulnerability bypasses such protections by making the license document fully public. The issue has been resolved in version 1.24.2 of the application-licensing component. No known exploits are currently reported in the wild, and no alternative mitigations exist aside from upgrading to the fixed version. This vulnerability does not require authentication or user interaction to exploit, as the document is publicly accessible by design due to missing authorization checks.
Potential Impact
For European organizations using XWiki with the vulnerable application-licensing versions, this vulnerability poses a significant privacy and security risk. The leakage of license owner PII and instance IDs can lead to targeted phishing attacks, potentially compromising user credentials or enabling further intrusion attempts. The correlation of instance IDs with active install data undermines the anonymity assurances provided by XWiki, potentially exposing organizational usage patterns and license details to unauthorized parties. This could lead to reputational damage, especially for organizations subject to strict data protection regulations such as GDPR. Additionally, attackers could leverage the exposed information to craft convincing spear-phishing campaigns aimed at administrative personnel, increasing the risk of credential theft or malware deployment. While the vulnerability does not directly allow system compromise or data manipulation, the indirect risks through social engineering and privacy violations are notable. The impact is heightened for organizations with sensitive or critical deployments of XWiki, including government agencies, research institutions, and enterprises relying on paid extensions managed by the licensing component.
Mitigation Recommendations
The primary and only effective mitigation is to upgrade the XWiki application-licensing component to version 1.24.2 or later, where the missing authorization check has been implemented. Organizations should prioritize this upgrade in their patch management cycles. Additionally, administrators should audit their public-facing XWiki instances to verify that sensitive documents like `Licenses.Code.LicenseJSON` are not accessible without proper authorization. If upgrading immediately is not feasible, organizations should consider restricting access to the affected document via web server configuration or firewall rules to limit exposure to trusted IP ranges or authenticated users only. Monitoring access logs for unusual or repeated requests to this document can help detect potential reconnaissance attempts. Furthermore, organizations should educate their users, especially license owners and administrators, about the increased risk of phishing attacks stemming from this vulnerability and reinforce phishing awareness training. Finally, reviewing and tightening overall access control policies within XWiki and ensuring that sensitive information is not inadvertently exposed publicly will help reduce similar risks.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2024-02-14T17:40:03.688Z
- Cisa Enriched
- true
Threat ID: 682d9849c4522896dcbf6b35
Added to database: 5/21/2025, 9:09:29 AM
Last enriched: 6/21/2025, 10:41:25 PM
Last updated: 7/31/2025, 8:19:31 PM
Views: 14
Related Threats
CVE-2025-9095: Cross Site Scripting in ExpressGateway express-gateway
MediumCVE-2025-7342: CWE-798 Use of Hard-coded Credentials in Kubernetes Image Builder
HighCVE-2025-9094: Improper Neutralization of Special Elements Used in a Template Engine in ThingsBoard
MediumCVE-2025-9093: Improper Export of Android Application Components in BuzzFeed App
MediumCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.