Lack of permission check during access to page history information using REST API. Here are the two affected REST APIs.

@Path("/wikis/{wikiName}/spaces/{spaceName:.+}/pages/{pageName}/translations/{language}/history")
org.xwiki.rest.internal.resources.pages.PageHistoryResourceImpl.getPageHistory

@Path("/wikis/{wikiName}/spaces/{spaceName:.+}/pages/{pageName}/translations/{language}/history")
org.xwiki.rest.internal.resources.pages.PageTranslationHistoryResourceImpl.getPageTranslationHistory

On the other hand, there is a consideration that if the 'spaceName' and 'pageName' are known, it is assumed that the person accessing them should already have the appropriate permissions.  

Please check whether permission check is required here.