Moderate severityNVD Advisory· Published Feb 21, 2024· Updated Apr 22, 2025
License information is public, exposing instance id and license holder details
CVE-2024-26138
Description
XWiki Application Licensing exposes license info via a public document, leaking instance IDs and owner details, enabling de-anonymization and phishing.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XWiki Application Licensing exposes license info via a public document, leaking instance IDs and owner details, enabling de-anonymization and phishing.
Vulnerability
Description The XWiki Application Licensing extension includes the document Licenses.Code.LicenseJSON, which was intended for administrative use but is publicly accessible without authentication. This page exposes sensitive information about active licenses, including the instance ID (UUID), and the first and last name and email address of the license owner [1].
Exploitation
An attacker can access the public document directly, gaining the instance UUID and license owner details. The instance UUID can be correlated with the Active Installs data, which was designed to be anonymous (claiming "there's no way to find who's having a given UUID"), thus breaking the anonymity of the Active Installs system [2]. The owner's name and email can be used for targeted phishing attacks. Additionally, email addresses may be obfuscated in normal user profiles, but this page bypasses that protection, exposing them in plain text [1].
Impact
The vulnerability allows an attacker to de-anonymize an XWiki instance, associate it with Active Installs data, and learn the identity of the license owner. This information enables targeted phishing attacks and violates the intended privacy guarantees of the Active Installs program [1][2].
Mitigation
The issue is fixed in Application Licensing version 1.24.2, which restricts access to the Licenses.Code.LicenseJSON document [1][3]. There are no known workarounds; upgrading to the patched version is required [1].
References
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.xwiki.licensing:application-licensing-licensor-uiMaven | >= 1.0, < 1.24.2 | 1.24.2 |
Affected products
2- Range: >= 1.0, < 1.24.2
Patches
1d168fb88fc0dImprove visibility access for licenses pages (#148)
1 file changed · +1489 −0
application-licensing-licensor/application-licensing-licensor-ui/src/main/resources/Licenses/WebPreferences.xml+1489 −0 added@@ -0,0 +1,1489 @@ +<?xml version="1.1" encoding="UTF-8"?> + +<!-- + * See the NOTICE file distributed with this work for additional + * information regarding copyright ownership. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. +--> + +<xwikidoc version="1.4" reference="Licenses.WebPreferences" locale=""> + <web>Licenses</web> + <name>WebPreferences</name> + <language/> + <defaultLanguage/> + <translation>0</translation> + <creator>xwiki:XWiki.Admin</creator> + <parent>Licenses.WebHome</parent> + <author>xwiki:XWiki.Admin</author> + <contentAuthor>xwiki:XWiki.Admin</contentAuthor> + <version>1.1</version> + <title>$services.localization.render('admin.preferences.title')</title> + <comment/> + <minorEdit>false</minorEdit> + <syntaxId>xwiki/2.1</syntaxId> + <hidden>true</hidden> + <content/> + <object> + <name>Licenses.WebPreferences</name> + <number>0</number> + <className>XWiki.XWikiGlobalRights</className> + <guid>f39b257d-ebae-47f1-b0ab-215a8bb82000</guid> + <class> + <name>XWiki.XWikiGlobalRights</name> + <customClass/> + <customMapping/> + <defaultViewSheet/> + <defaultEditSheet/> + <defaultWeb/> + <nameField/> + <validationScript/> + <allow> + <defaultValue>1</defaultValue> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>allow</displayType> + <name>allow</name> + <number>4</number> + <prettyName>Allow/Deny</prettyName> + <unmodifiable>0</unmodifiable> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </allow> + <groups> + <cache>0</cache> + <disabled>0</disabled> + <displayType>input</displayType> + <multiSelect>1</multiSelect> + <name>groups</name> + <number>1</number> + <picker>1</picker> + <prettyName>Groups</prettyName> + <relationalStorage>0</relationalStorage> + <separator> </separator> + <size>5</size> + <unmodifiable>0</unmodifiable> + <classType>com.xpn.xwiki.objects.classes.GroupsClass</classType> + </groups> + <levels> + <cache>0</cache> + <disabled>0</disabled> + <displayType>select</displayType> + <multiSelect>1</multiSelect> + <name>levels</name> + <number>2</number> + <prettyName>Levels</prettyName> + <relationalStorage>0</relationalStorage> + <separator> </separator> + <size>3</size> + <unmodifiable>0</unmodifiable> + <classType>com.xpn.xwiki.objects.classes.LevelsClass</classType> + </levels> + <users> + <cache>0</cache> + <disabled>0</disabled> + <displayType>input</displayType> + <multiSelect>1</multiSelect> + <name>users</name> + <number>3</number> + <picker>1</picker> + <prettyName>Users</prettyName> + <relationalStorage>0</relationalStorage> + <separator> </separator> + <size>5</size> + <unmodifiable>0</unmodifiable> + <classType>com.xpn.xwiki.objects.classes.UsersClass</classType> + </users> + </class> + <property> + <allow>1</allow> + </property> + <property> + <groups>XWiki.XWikiAdminGroup</groups> + </property> + <property> + <levels>edit,view</levels> + </property> + <property> + <users/> + </property> + </object> + <object> + <name>Licenses.WebPreferences</name> + <number>0</number> + <className>XWiki.XWikiPreferences</className> + <guid>314b6a1e-5fc1-46ec-8700-94707ebf67ec</guid> + <class> + <name>XWiki.XWikiPreferences</name> + <customClass/> + <customMapping>internal</customMapping> + <defaultViewSheet/> + <defaultEditSheet/> + <defaultWeb/> + <nameField/> + <validationScript/> + <accessibility> + <customDisplay/> + <defaultValue>0</defaultValue> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>yesno</displayType> + <name>accessibility</name> + <number>11</number> + <prettyName>Enable extra accessibility features</prettyName> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </accessibility> + <admin_email> + <customDisplay/> + <disabled>0</disabled> + <name>admin_email</name> + <number>19</number> + <picker>0</picker> + <prettyName>Admin eMail</prettyName> + <size>30</size> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </admin_email> + <authenticate_edit> + <customDisplay/> + <defaultValue/> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>yesno</displayType> + <name>authenticate_edit</name> + <number>4</number> + <prettyName>Authenticated Edit</prettyName> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </authenticate_edit> + <authenticate_view> + <customDisplay/> + <defaultValue/> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>yesno</displayType> + <name>authenticate_view</name> + <number>5</number> + <prettyName>Authenticated View</prettyName> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </authenticate_view> + <backlinks> + <customDisplay/> + <defaultValue/> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>yesno</displayType> + <name>backlinks</name> + <number>40</number> + <prettyName>Activate the backlinks</prettyName> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </backlinks> + <colorTheme> + <cache>0</cache> + <classname/> + <customDisplay>{{include reference="XWiki.ColorThemePropertyDisplayer" /}}</customDisplay> + <disabled>0</disabled> + <displayType>select</displayType> + <idField/> + <multiSelect>0</multiSelect> + <name>colorTheme</name> + <number>7</number> + <picker>0</picker> + <prettyName>Color theme</prettyName> + <relationalStorage>0</relationalStorage> + <separator> </separator> + <separators/> + <size>1</size> + <sort>none</sort> + <sql>select doc.fullName, doc.title from XWikiDocument as doc, BaseObject as theme where doc.fullName=theme.name and (theme.className='ColorThemes.ColorThemeClass' or theme.className='FlamingoThemesCode.ThemeClass') and doc.fullName<>'ColorThemes.ColorThemeTemplate' and doc.fullName<>'FlamingoThemesCode.ThemeTemplate'</sql> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <valueField/> + <classType>com.xpn.xwiki.objects.classes.DBListClass</classType> + </colorTheme> + <comment_anonymous> + <cache>0</cache> + <customDisplay/> + <disabled>0</disabled> + <displayType>select</displayType> + <freeText>forbidden</freeText> + <largeStorage>0</largeStorage> + <multiSelect>0</multiSelect> + <name>comment_anonymous</name> + <number>33</number> + <picker>1</picker> + <prettyName>Anonymous</prettyName> + <relationalStorage>0</relationalStorage> + <separator> </separator> + <separators>|, </separators> + <size>1</size> + <sort>none</sort> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <values>Image|Text</values> + <classType>com.xpn.xwiki.objects.classes.StaticListClass</classType> + </comment_anonymous> + <comment_registered> + <cache>0</cache> + <customDisplay/> + <disabled>0</disabled> + <displayType>select</displayType> + <freeText>forbidden</freeText> + <largeStorage>0</largeStorage> + <multiSelect>0</multiSelect> + <name>comment_registered</name> + <number>34</number> + <picker>1</picker> + <prettyName>Registered</prettyName> + <relationalStorage>0</relationalStorage> + <separator> </separator> + <separators>|, </separators> + <size>1</size> + <sort>none</sort> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <values>Image|Text</values> + <classType>com.xpn.xwiki.objects.classes.StaticListClass</classType> + </comment_registered> + <confirmation_email_content> + <contenttype>PureText</contenttype> + <customDisplay/> + <disabled>0</disabled> + <editor>PureText</editor> + <name>confirmation_email_content</name> + <number>26</number> + <picker>0</picker> + <prettyName>Confirmation eMail Content</prettyName> + <rows>10</rows> + <size>72</size> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.TextAreaClass</classType> + </confirmation_email_content> + <core.defaultDocumentSyntax> + <customDisplay>{{velocity}} +{{html wiki="false" clean="false"}} +#if ("$!value" == '') + #set ($value = $xwiki.getDefaultDocumentSyntax()) +#end +<select name="${object.getxWikiClass().name}_${object.number}_${name}" id="${object.getxWikiClass().name}_${object.number}_${name}"> +#set ($configuredSyntaxes = $services.rendering.getConfiguredSyntaxes()) +#foreach($syntax in $configuredSyntaxes) + <option value="$syntax.toIdString()"#if($syntax.toIdString().equalsIgnoreCase($value)) selected="selected"#end>$syntax.toString()</option> +#end +</select> +{{/html}} +{{/velocity}}</customDisplay> + <disabled>0</disabled> + <name>core.defaultDocumentSyntax</name> + <number>37</number> + <picker>0</picker> + <prettyName>Default document syntax</prettyName> + <size>60</size> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </core.defaultDocumentSyntax> + <dateformat> + <customDisplay/> + <disabled>0</disabled> + <name>dateformat</name> + <number>17</number> + <picker>0</picker> + <prettyName>Date Format</prettyName> + <size>30</size> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </dateformat> + <default_language> + <customDisplay/> + <disabled>0</disabled> + <name>default_language</name> + <number>3</number> + <picker>0</picker> + <prettyName>Default Language</prettyName> + <size>5</size> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </default_language> + <documentBundles> + <cache>0</cache> + <classname/> + <customDisplay/> + <disabled>0</disabled> + <displayType>input</displayType> + <freeText>discouraged</freeText> + <hint/> + <idField/> + <multiSelect>0</multiSelect> + <name>documentBundles</name> + <number>48</number> + <picker>1</picker> + <prettyName>Internationalization Document Bundles</prettyName> + <relationalStorage>0</relationalStorage> + <separator> </separator> + <separators/> + <size>60</size> + <sort>none</sort> + <sql/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <valueField/> + <classType>com.xpn.xwiki.objects.classes.PageClass</classType> + </documentBundles> + <edit_anonymous> + <cache>0</cache> + <customDisplay/> + <disabled>0</disabled> + <displayType>select</displayType> + <freeText>forbidden</freeText> + <largeStorage>0</largeStorage> + <multiSelect>0</multiSelect> + <name>edit_anonymous</name> + <number>31</number> + <picker>1</picker> + <prettyName>Anonymous</prettyName> + <relationalStorage>0</relationalStorage> + <separator> </separator> + <separators>|, </separators> + <size>1</size> + <sort>none</sort> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <values>Image|Text</values> + <classType>com.xpn.xwiki.objects.classes.StaticListClass</classType> + </edit_anonymous> + <edit_registered> + <cache>0</cache> + <customDisplay/> + <disabled>0</disabled> + <displayType>select</displayType> + <freeText>forbidden</freeText> + <largeStorage>0</largeStorage> + <multiSelect>0</multiSelect> + <name>edit_registered</name> + <number>32</number> + <picker>1</picker> + <prettyName>Registered</prettyName> + <relationalStorage>0</relationalStorage> + <separator> </separator> + <separators>|, </separators> + <size>1</size> + <sort>none</sort> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <values>Image|Text</values> + <classType>com.xpn.xwiki.objects.classes.StaticListClass</classType> + </edit_registered> + <editcomment> + <customDisplay/> + <defaultValue/> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>yesno</displayType> + <name>editcomment</name> + <number>74</number> + <prettyName>Enable version summary</prettyName> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </editcomment> + <editcomment_mandatory> + <customDisplay/> + <defaultValue/> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>yesno</displayType> + <name>editcomment_mandatory</name> + <number>75</number> + <prettyName>Make version summary mandatory</prettyName> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </editcomment_mandatory> + <editor> + <cache>0</cache> + <customDisplay/> + <disabled>0</disabled> + <displayType>select</displayType> + <freeText>forbidden</freeText> + <largeStorage>0</largeStorage> + <multiSelect>0</multiSelect> + <name>editor</name> + <number>12</number> + <picker>1</picker> + <prettyName>Default Editor</prettyName> + <relationalStorage>0</relationalStorage> + <separator> </separator> + <separators>|, </separators> + <size>1</size> + <sort>none</sort> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <values>Text|Wysiwyg</values> + <classType>com.xpn.xwiki.objects.classes.StaticListClass</classType> + </editor> + <guest_comment_requires_captcha> + <customDisplay/> + <defaultValue/> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>select</displayType> + <name>guest_comment_requires_captcha</name> + <number>36</number> + <prettyName>Enable CAPTCHA in comments for unregistered users</prettyName> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </guest_comment_requires_captcha> + <iconTheme> + <cache>0</cache> + <disabled>0</disabled> + <displayType>select</displayType> + <multiSelect>0</multiSelect> + <name>iconTheme</name> + <number>8</number> + <prettyName>Icon theme</prettyName> + <relationalStorage>0</relationalStorage> + <separator> </separator> + <size>1</size> + <sql>select doc.fullName, propName.value from XWikiDocument as doc, BaseObject as theme, StringProperty propName where doc.fullName=theme.name and theme.className='IconThemesCode.IconThemeClass' and doc.fullName<>'IconThemesCode.IconThemeTemplate' and theme.id = propName.id and propName.name = 'name'</sql> + <unmodifiable>0</unmodifiable> + <classType>com.xpn.xwiki.objects.classes.DBListClass</classType> + </iconTheme> + <invitation_email_content> + <contenttype>PureText</contenttype> + <customDisplay/> + <disabled>0</disabled> + <editor>PureText</editor> + <name>invitation_email_content</name> + <number>27</number> + <picker>0</picker> + <prettyName>Invitation eMail Content</prettyName> + <rows>10</rows> + <size>72</size> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.TextAreaClass</classType> + </invitation_email_content> + <javamail_extra_props> + <contenttype>PureText</contenttype> + <customDisplay/> + <disabled>0</disabled> + <editor>PureText</editor> + <name>javamail_extra_props</name> + <number>24</number> + <picker>0</picker> + <prettyName>Additional JavaMail properties</prettyName> + <rows>6</rows> + <size>60</size> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.TextAreaClass</classType> + </javamail_extra_props> + <languages> + <customDisplay/> + <disabled>0</disabled> + <name>languages</name> + <number>47</number> + <picker>0</picker> + <prettyName>Supported languages</prettyName> + <size>30</size> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </languages> + <ldap> + <customDisplay/> + <defaultValue/> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>yesno</displayType> + <name>ldap</name> + <number>50</number> + <prettyName>Ldap</prettyName> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </ldap> + <ldap_UID_attr> + <customDisplay/> + <disabled>0</disabled> + <name>ldap_UID_attr</name> + <number>59</number> + <picker>0</picker> + <prettyName>Ldap UID attribute name</prettyName> + <size>60</size> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </ldap_UID_attr> + <ldap_base_DN> + <customDisplay/> + <disabled>0</disabled> + <name>ldap_base_DN</name> + <number>58</number> + <picker>0</picker> + <prettyName>Ldap base DN</prettyName> + <size>60</size> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </ldap_base_DN> + <ldap_bind_DN> + <customDisplay/> + <disabled>0</disabled> + <name>ldap_bind_DN</name> + <number>53</number> + <picker>0</picker> + <prettyName>Ldap login matching</prettyName> + <size>60</size> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </ldap_bind_DN> + <ldap_bind_pass> + <disabled>0</disabled> + <name>ldap_bind_pass</name> + <number>54</number> + <prettyName>Ldap password matching</prettyName> + <size>60</size> + <storageType>Clear</storageType> + <unmodifiable>0</unmodifiable> + <classType>com.xpn.xwiki.objects.classes.PasswordClass</classType> + </ldap_bind_pass> + <ldap_exclude_group> + <customDisplay/> + <disabled>0</disabled> + <name>ldap_exclude_group</name> + <number>57</number> + <picker>0</picker> + <prettyName>Ldap group to exclude</prettyName> + <size>60</size> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </ldap_exclude_group> + <ldap_fields_mapping> + <contenttype>PureText</contenttype> + <customDisplay/> + <disabled>0</disabled> + <editor>PureText</editor> + <name>ldap_fields_mapping</name> + <number>60</number> + <picker>0</picker> + <prettyName>Ldap user fields mapping</prettyName> + <rows>1</rows> + <size>60</size> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.TextAreaClass</classType> + </ldap_fields_mapping> + <ldap_group_mapping> + <contenttype>PureText</contenttype> + <customDisplay/> + <disabled>0</disabled> + <editor>PureText</editor> + <name>ldap_group_mapping</name> + <number>65</number> + <picker>0</picker> + <prettyName>Ldap groups mapping</prettyName> + <rows>5</rows> + <size>60</size> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.TextAreaClass</classType> + </ldap_group_mapping> + <ldap_groupcache_expiration> + <customDisplay/> + <disabled>0</disabled> + <name>ldap_groupcache_expiration</name> + <number>66</number> + <picker>0</picker> + <prettyName>LDAP groups members cache</prettyName> + <size>60</size> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </ldap_groupcache_expiration> + <ldap_mode_group_sync> + <cache>0</cache> + <customDisplay/> + <disabled>0</disabled> + <displayType>select</displayType> + <freeText>forbidden</freeText> + <largeStorage>0</largeStorage> + <multiSelect>0</multiSelect> + <name>ldap_mode_group_sync</name> + <number>67</number> + <picker>0</picker> + <prettyName>LDAP groups sync mode</prettyName> + <relationalStorage>0</relationalStorage> + <separator> </separator> + <separators>|, </separators> + <size>1</size> + <sort>none</sort> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <values>always|create</values> + <classType>com.xpn.xwiki.objects.classes.StaticListClass</classType> + </ldap_mode_group_sync> + <ldap_photo_attachment_name> + <customDisplay/> + <disabled>0</disabled> + <name>ldap_photo_attachment_name</name> + <number>63</number> + <picker>0</picker> + <prettyName>Attachment name to save LDAP photo</prettyName> + <size>30</size> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </ldap_photo_attachment_name> + <ldap_photo_attribute> + <customDisplay/> + <disabled>0</disabled> + <name>ldap_photo_attribute</name> + <number>64</number> + <picker>0</picker> + <prettyName>Ldap photo attribute name</prettyName> + <size>60</size> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </ldap_photo_attribute> + <ldap_port> + <customDisplay/> + <disabled>0</disabled> + <name>ldap_port</name> + <number>52</number> + <picker>0</picker> + <prettyName>Ldap server port</prettyName> + <size>60</size> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </ldap_port> + <ldap_server> + <customDisplay/> + <disabled>0</disabled> + <name>ldap_server</name> + <number>51</number> + <picker>0</picker> + <prettyName>Ldap server adress</prettyName> + <size>60</size> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </ldap_server> + <ldap_trylocal> + <customDisplay/> + <defaultValue/> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>yesno</displayType> + <name>ldap_trylocal</name> + <number>68</number> + <prettyName>Try local login</prettyName> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </ldap_trylocal> + <ldap_update_photo> + <customDisplay/> + <defaultValue/> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>yesno</displayType> + <name>ldap_update_photo</name> + <number>62</number> + <prettyName>Update user photo from LDAP</prettyName> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </ldap_update_photo> + <ldap_update_user> + <customDisplay/> + <defaultValue/> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>yesno</displayType> + <name>ldap_update_user</name> + <number>61</number> + <prettyName>Update user from LDAP</prettyName> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </ldap_update_user> + <ldap_user_group> + <customDisplay/> + <disabled>0</disabled> + <name>ldap_user_group</name> + <number>56</number> + <picker>0</picker> + <prettyName>Ldap group filter</prettyName> + <size>60</size> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </ldap_user_group> + <ldap_validate_password> + <customDisplay/> + <defaultValue/> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>yesno</displayType> + <name>ldap_validate_password</name> + <number>55</number> + <prettyName>Validate Ldap user/password</prettyName> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </ldap_validate_password> + <leftPanels> + <customDisplay/> + <disabled>0</disabled> + <name>leftPanels</name> + <number>41</number> + <picker>0</picker> + <prettyName>Panels displayed on the left</prettyName> + <size>60</size> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </leftPanels> + <leftPanelsWidth> + <cache>0</cache> + <disabled>0</disabled> + <displayType>select</displayType> + <freeText>forbidden</freeText> + <largeStorage>0</largeStorage> + <multiSelect>0</multiSelect> + <name>leftPanelsWidth</name> + <number>45</number> + <prettyName>Width of the left panel column</prettyName> + <relationalStorage>0</relationalStorage> + <separator> </separator> + <separators>|, </separators> + <size>1</size> + <unmodifiable>0</unmodifiable> + <values>Small|Medium|Large</values> + <classType>com.xpn.xwiki.objects.classes.StaticListClass</classType> + </leftPanelsWidth> + <meta> + <contenttype>PureText</contenttype> + <customDisplay/> + <disabled>0</disabled> + <editor>PureText</editor> + <name>meta</name> + <number>16</number> + <picker>0</picker> + <prettyName>HTTP Meta Info</prettyName> + <rows>8</rows> + <size>60</size> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.TextAreaClass</classType> + </meta> + <minoredit> + <customDisplay/> + <defaultValue/> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>yesno</displayType> + <name>minoredit</name> + <number>76</number> + <prettyName>Enable minor edits</prettyName> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </minoredit> + <multilingual> + <customDisplay/> + <defaultValue/> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>yesno</displayType> + <name>multilingual</name> + <number>2</number> + <prettyName>Multi-Lingual</prettyName> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </multilingual> + <obfuscateEmailAddresses> + <customDisplay/> + <defaultValue>0</defaultValue> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>yesno</displayType> + <name>obfuscateEmailAddresses</name> + <number>28</number> + <prettyName>Obfuscate Email Addresses</prettyName> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </obfuscateEmailAddresses> + <parent> + <customDisplay/> + <disabled>0</disabled> + <name>parent</name> + <number>1</number> + <picker>0</picker> + <prettyName>Parent Space</prettyName> + <size>30</size> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </parent> + <plugins> + <customDisplay/> + <disabled>0</disabled> + <name>plugins</name> + <number>4</number> + <picker>0</picker> + <prettyName>Plugins</prettyName> + <size>40</size> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </plugins> + <registration_anonymous> + <cache>0</cache> + <customDisplay/> + <disabled>0</disabled> + <displayType>select</displayType> + <freeText>forbidden</freeText> + <largeStorage>0</largeStorage> + <multiSelect>0</multiSelect> + <name>registration_anonymous</name> + <number>29</number> + <picker>1</picker> + <prettyName>Anonymous</prettyName> + <relationalStorage>0</relationalStorage> + <separator> </separator> + <separators>|, </separators> + <size>1</size> + <sort>none</sort> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <values>Image|Text</values> + <classType>com.xpn.xwiki.objects.classes.StaticListClass</classType> + </registration_anonymous> + <registration_registered> + <cache>0</cache> + <customDisplay/> + <disabled>0</disabled> + <displayType>select</displayType> + <freeText>forbidden</freeText> + <largeStorage>0</largeStorage> + <multiSelect>0</multiSelect> + <name>registration_registered</name> + <number>30</number> + <picker>1</picker> + <prettyName>Registered</prettyName> + <relationalStorage>0</relationalStorage> + <separator> </separator> + <separators>|, </separators> + <size>1</size> + <sort>none</sort> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <values>Image|Text</values> + <classType>com.xpn.xwiki.objects.classes.StaticListClass</classType> + </registration_registered> + <rightPanels> + <customDisplay/> + <disabled>0</disabled> + <name>rightPanels</name> + <number>42</number> + <picker>0</picker> + <prettyName>Panels displayed on the right</prettyName> + <size>60</size> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </rightPanels> + <rightPanelsWidth> + <cache>0</cache> + <disabled>0</disabled> + <displayType>select</displayType> + <freeText>forbidden</freeText> + <largeStorage>0</largeStorage> + <multiSelect>0</multiSelect> + <name>rightPanelsWidth</name> + <number>46</number> + <prettyName>Width of the right panel column</prettyName> + <relationalStorage>0</relationalStorage> + <separator> </separator> + <separators>|, </separators> + <size>1</size> + <unmodifiable>0</unmodifiable> + <values>Small|Medium|Large</values> + <classType>com.xpn.xwiki.objects.classes.StaticListClass</classType> + </rightPanelsWidth> + <showLeftPanels> + <customDisplay/> + <defaultValue/> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>yesno</displayType> + <name>showLeftPanels</name> + <number>43</number> + <prettyName>Display the left panel column</prettyName> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </showLeftPanels> + <showRightPanels> + <customDisplay/> + <defaultValue/> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>yesno</displayType> + <name>showRightPanels</name> + <number>44</number> + <prettyName>Display the right panel column</prettyName> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </showRightPanels> + <showannotations> + <customDisplay/> + <defaultValue/> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>yesno</displayType> + <name>showannotations</name> + <number>69</number> + <prettyName>Show document annotations</prettyName> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </showannotations> + <showattachments> + <customDisplay/> + <defaultValue/> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>yesno</displayType> + <name>showattachments</name> + <number>71</number> + <prettyName>Show document attachments</prettyName> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </showattachments> + <showcomments> + <customDisplay/> + <defaultValue/> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>yesno</displayType> + <name>showcomments</name> + <number>70</number> + <prettyName>Show document comments</prettyName> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </showcomments> + <showhistory> + <customDisplay/> + <defaultValue/> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>yesno</displayType> + <name>showhistory</name> + <number>72</number> + <prettyName>Show document history</prettyName> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </showhistory> + <showinformation> + <customDisplay/> + <defaultValue/> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>yesno</displayType> + <name>showinformation</name> + <number>73</number> + <prettyName>Show document information</prettyName> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </showinformation> + <skin> + <cache>0</cache> + <classname/> + <customDisplay/> + <disabled>0</disabled> + <displayType>input</displayType> + <freeText>allowed</freeText> + <hint/> + <idField/> + <multiSelect>0</multiSelect> + <name>skin</name> + <number>6</number> + <picker>1</picker> + <prettyName>Skin</prettyName> + <relationalStorage>0</relationalStorage> + <separator> </separator> + <separators/> + <size>30</size> + <sort>none</sort> + <sql>, BaseObject obj where doc.fullName = obj.name and obj.className = 'XWiki.XWikiSkins'</sql> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <valueField/> + <classType>com.xpn.xwiki.objects.classes.PageClass</classType> + </skin> + <smtp_port> + <customDisplay/> + <disabled>0</disabled> + <name>smtp_port</name> + <number>21</number> + <picker>0</picker> + <prettyName>SMTP Port</prettyName> + <size>5</size> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </smtp_port> + <smtp_server> + <customDisplay/> + <disabled>0</disabled> + <name>smtp_server</name> + <number>20</number> + <picker>0</picker> + <prettyName>SMTP Server</prettyName> + <size>30</size> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </smtp_server> + <smtp_server_password> + <customDisplay/> + <disabled>0</disabled> + <name>smtp_server_password</name> + <number>23</number> + <picker>0</picker> + <prettyName>Server password (optional)</prettyName> + <size>30</size> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </smtp_server_password> + <smtp_server_username> + <customDisplay/> + <disabled>0</disabled> + <name>smtp_server_username</name> + <number>22</number> + <picker>0</picker> + <prettyName>Server username (optional)</prettyName> + <size>30</size> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </smtp_server_username> + <stylesheet> + <customDisplay/> + <disabled>0</disabled> + <name>stylesheet</name> + <number>9</number> + <picker>0</picker> + <prettyName>Default Stylesheet</prettyName> + <size>30</size> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </stylesheet> + <stylesheets> + <customDisplay/> + <disabled>0</disabled> + <name>stylesheets</name> + <number>10</number> + <picker>0</picker> + <prettyName>Alternative Stylesheet</prettyName> + <size>60</size> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </stylesheets> + <tags> + <customDisplay/> + <defaultValue/> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>yesno</displayType> + <name>tags</name> + <number>39</number> + <prettyName>Activate the tagging</prettyName> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </tags> + <timezone> + <disabled>0</disabled> + <name>timezone</name> + <number>49</number> + <prettyName>Time Zone</prettyName> + <size>30</size> + <unmodifiable>0</unmodifiable> + <classType>com.xpn.xwiki.objects.classes.TimezoneClass</classType> + </timezone> + <title> + <customDisplay/> + <disabled>0</disabled> + <name>title</name> + <number>14</number> + <picker>0</picker> + <prettyName>Title</prettyName> + <size>30</size> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </title> + <upload_maxsize> + <customDisplay/> + <disabled>0</disabled> + <name>upload_maxsize</name> + <number>35</number> + <numberType>long</numberType> + <prettyName>Maximum Upload Size</prettyName> + <size>5</size> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.NumberClass</classType> + </upload_maxsize> + <use_email_verification> + <customDisplay/> + <defaultValue/> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>yesno</displayType> + <name>use_email_verification</name> + <number>18</number> + <prettyName>Use eMail Verification</prettyName> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </use_email_verification> + <validation_email_content> + <contenttype>PureText</contenttype> + <customDisplay/> + <disabled>0</disabled> + <editor>PureText</editor> + <name>validation_email_content</name> + <number>25</number> + <picker>0</picker> + <prettyName>Validation eMail Content</prettyName> + <rows>10</rows> + <size>72</size> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.TextAreaClass</classType> + </validation_email_content> + <version> + <customDisplay/> + <disabled>0</disabled> + <name>version</name> + <number>15</number> + <picker>0</picker> + <prettyName>Version</prettyName> + <size>30</size> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </version> + <webcopyright> + <customDisplay/> + <disabled>0</disabled> + <name>webcopyright</name> + <number>13</number> + <picker>0</picker> + <prettyName>Copyright</prettyName> + <size>30</size> + <tooltip/> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.StringClass</classType> + </webcopyright> + <xwiki.title.mandatory> + <customDisplay/> + <defaultValue/> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>yesno</displayType> + <name>xwiki.title.mandatory</name> + <number>38</number> + <prettyName>Make document title field mandatory</prettyName> + <unmodifiable>0</unmodifiable> + <validationMessage/> + <validationRegExp/> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </xwiki.title.mandatory> + </class> + <property> + <accessibility/> + </property> + <property> + <colorTheme/> + </property> + <property> + <core.defaultDocumentSyntax/> + </property> + <property> + <dateformat/> + </property> + <property> + <editcomment/> + </property> + <property> + <editcomment_mandatory/> + </property> + <property> + <guest_comment_requires_captcha/> + </property> + <property> + <iconTheme/> + </property> + <property> + <javamail_extra_props/> + </property> + <property> + <ldap/> + </property> + <property> + <ldap_UID_attr/> + </property> + <property> + <ldap_base_DN/> + </property> + <property> + <ldap_bind_DN/> + </property> + <property> + <ldap_bind_pass/> + </property> + <property> + <ldap_exclude_group/> + </property> + <property> + <ldap_fields_mapping/> + </property> + <property> + <ldap_group_mapping/> + </property> + <property> + <ldap_groupcache_expiration/> + </property> + <property> + <ldap_mode_group_sync/> + </property> + <property> + <ldap_photo_attachment_name/> + </property> + <property> + <ldap_photo_attribute/> + </property> + <property> + <ldap_port/> + </property> + <property> + <ldap_server/> + </property> + <property> + <ldap_trylocal/> + </property> + <property> + <ldap_update_photo/> + </property> + <property> + <ldap_update_user/> + </property> + <property> + <ldap_user_group/> + </property> + <property> + <ldap_validate_password/> + </property> + <property> + <leftPanelsWidth/> + </property> + <property> + <minoredit/> + </property> + <property> + <obfuscateEmailAddresses/> + </property> + <property> + <parent/> + </property> + <property> + <plugins/> + </property> + <property> + <rightPanelsWidth/> + </property> + <property> + <showannotations/> + </property> + <property> + <showattachments/> + </property> + <property> + <showcomments/> + </property> + <property> + <showhistory/> + </property> + <property> + <showinformation/> + </property> + <property> + <smtp_port/> + </property> + <property> + <smtp_server_password/> + </property> + <property> + <smtp_server_username/> + </property> + <property> + <tags/> + </property> + <property> + <timezone/> + </property> + <property> + <upload_maxsize/> + </property> + <property> + <xwiki.title.mandatory/> + </property> + </object> +</xwikidoc>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-4hfp-m9gv-m753ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-26138ghsaADVISORY
- extensions.xwiki.org/xwiki/bin/view/Extension/Active%20Installs%202%20APIghsax_refsource_MISCWEB
- github.com/xwikisas/application-licensing/commit/d168fb88fc0d121bf95e769ea21c55c00bebe5a6ghsax_refsource_MISCWEB
- github.com/xwikisas/application-licensing/security/advisories/GHSA-4hfp-m9gv-m753ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.