CVE-2022-24821

Published: Apr 8, 2022Modified: Nov 21, 2024

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Simple users can create global SSX/JSX without specific rights: in theory only users with Programming Rights should be allowed to create SSX or JSX that are executed everywhere on a wiki. But a bug allow anyone with edit rights to actually create those. This issue has been patched in XWiki 13.10-rc-1, 12.10.11 and 13.4.6. There's no easy workaround for this issue, administrators should upgrade their wiki.

Affected (3)

Products: Xwiki: Xwiki

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Xwiki Xwiki	From 12.0.0 to 12.10.11
Xwiki Xwiki	From 13.4.0 to 13.4.6
Xwiki Xwiki	Version 13.10

Related CWEs

Incorrect Use of Privileged APIs

The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.

References (4)

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-ghcq-472w-vf4h

Source: security-advisories@github.com

Third Party Advisory

https://jira.xwiki.org/browse/XWIKI-19155

Source: security-advisories@github.com

ExploitIssue TrackingPatchThird Party Advisory

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-ghcq-472w-vf4h

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://jira.xwiki.org/browse/XWIKI-19155

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingPatchThird Party Advisory

Timeline

No history available yet.