CVE-2022-23615

Published: Feb 9, 2022Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.5

Source: NVD

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can save a document with the right of the current user which allow accessing API requiring programming right if the current user has programming right. This has been patched in XWiki 13.0. Users are advised to update to resolve this issue. The only known workaround is to limit SCRIPT access.

Affected (1)

Products: Xwiki: Xwiki

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Xwiki Xwiki	From 1.0 to 13.0

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (6)

https://github.com/xwiki/xwiki-platform/commit/7ab0fe7b96809c7a3881454147598d46a1c9bbbe

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f4cj-3q3h-884r

Source: security-advisories@github.com

Third Party Advisory

https://jira.xwiki.org/browse/XWIKI-5024

Source: security-advisories@github.com

PatchVendor Advisory

https://github.com/xwiki/xwiki-platform/commit/7ab0fe7b96809c7a3881454147598d46a1c9bbbe

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f4cj-3q3h-884r

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://jira.xwiki.org/browse/XWIKI-5024

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.