CVE-2023-26478

Published: Mar 2, 2023Modified: Nov 21, 2024

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

XWiki Platform is a generic wiki platform. Starting in version 14.3-rc-1, `org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment` returns an instance of `com.xpn.xwiki.doc.XWikiAttachment`. This class is not supported to be exposed to users without the `programing` right. `com.xpn.xwiki.api.Attachment` should be used instead and takes case of checking the user's rights before performing dangerous operations. This has been patched in versions 14.9-rc-1 and 14.4.6. There are no known workarounds for this issue.

Affected (2)

Products: Xwiki: Xwiki

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Xwiki Xwiki	From 14.3 to 14.4.6
Xwiki Xwiki	From 14.5 to 14.9

Related CWEs

Exposed Dangerous Method or Function

The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.

References (6)

https://github.com/xwiki/xwiki-platform/commit/3c73c59e39b6436b1074d8834cf276916010014d

Source: security-advisories@github.com

Patch

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8692-g6g9-gm5p

Source: security-advisories@github.com

Vendor Advisory

https://jira.xwiki.org/browse/XWIKI-20180

Source: security-advisories@github.com

ExploitIssue TrackingVendor Advisory

https://github.com/xwiki/xwiki-platform/commit/3c73c59e39b6436b1074d8834cf276916010014d

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8692-g6g9-gm5p

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://jira.xwiki.org/browse/XWIKI-20180

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingVendor Advisory

Timeline

No history available yet.