I see a potential gap for the xWiki user base between the discovery, fix and publication of the CVE.
Maybe there is a way to be made aware that there is a vulnerability in version X.Y.Z that was fixed in version A.B.C, but I was not successful in finding it.
For me, it would be good to know / be made aware of
a) if a security issue was discovered in version X.Y.Z and the severity of it (without the details but with the internal CVE identifier)
b) in which version of xWiki a CVE was fixed (relating the CVE ID)
Otherwise there might be a gap of at least 3 month between the fix and the awareness of a CVE by the user base.
If there is a resource to fill that gap, please point it out to me.
Thank you
PS: Sure, one might protect the xWiki instance with per-authentication reducing the attack surface - which is what we start to do with many of our services - but which is not feasible for all xWiki users out there.
So to be more clear, since we cannot disclose the issue publicly you need to ask to be on the internal security channels and for us to accept you we need to make some due diligence to know who you are.