Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mNGNqLTNxM2gtODg0cs0p0g
Partial authorization bypass on document save in xwiki-platform
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with SCRIPT right (EDIT right before XWiki 7.4) can save a document with the right of the current user which allow accessing API requiring programming right if the current user has programming right. It has been patched in XWiki 13.0. The only workaround is to give SCRIPT right only to trusted users.
Permalink: https://github.com/advisories/GHSA-f4cj-3q3h-884rJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNGNqLTNxM2gtODg0cs0p0g
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: almost 2 years ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
EPSS Percentage: 0.0006
EPSS Percentile: 0.26594
Identifiers: GHSA-f4cj-3q3h-884r, CVE-2022-23615
References:
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f4cj-3q3h-884r
- https://github.com/xwiki/xwiki-platform/commit/7ab0fe7b96809c7a3881454147598d46a1c9bbbe
- https://jira.xwiki.org/browse/XWIKI-5024
- https://nvd.nist.gov/vuln/detail/CVE-2022-23615
- https://github.com/advisories/GHSA-f4cj-3q3h-884r
Blast Radius: 1.0
Affected Packages
maven:org.xwiki.platform:xwiki-platform-oldcore
Affected Version Ranges: >= 1.0, < 13.0Fixed in: 13.0