Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1mNGNqLTNxM2gtODg0cs0p0g

Partial authorization bypass on document save in xwiki-platform

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with SCRIPT right (EDIT right before XWiki 7.4) can save a document with the right of the current user which allow accessing API requiring programming right if the current user has programming right. It has been patched in XWiki 13.0. The only workaround is to give SCRIPT right only to trusted users.

Permalink: https://github.com/advisories/GHSA-f4cj-3q3h-884r
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNGNqLTNxM2gtODg0cs0p0g
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: almost 2 years ago


CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

EPSS Percentage: 0.0006
EPSS Percentile: 0.26594

Identifiers: GHSA-f4cj-3q3h-884r, CVE-2022-23615
References: Repository: https://github.com/xwiki/xwiki-platform
Blast Radius: 1.0

Affected Packages

maven:org.xwiki.platform:xwiki-platform-oldcore
Affected Version Ranges: >= 1.0, < 13.0
Fixed in: 13.0