CVE-2024-38369

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-38369

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-38369.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-38369

Aliases

GHSA-qcj3-wpgm-qpxh

Published

2024-06-24T17:15:10Z

Modified

2024-10-07T23:30:57Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The content of a document included using {{include reference="targetdocument"/}} is executed with the right of the includer and not with the right of its author. This means that any user able to modify the target document can impersonate the author of the content which used the include macro. This vulnerability has been patched in XWiki 15.0 RC1 by making the default behavior safe.

References

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qcj3-wpgm-qpxh

Affected packages

Git / github.com/xwiki/xwiki-commons

Affected ranges

Type: GIT
Repo: https://github.com/xwiki/xwiki-commons
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

fdba4ca1398766e912f7888af5bdefbeef60d8b0

Type: GIT
Repo: https://github.com/xwiki/xwiki-platform
Events: Introduced

9650663be3cd4a7cb6991bfddcf8c3a920117474

Fixed

96b4a230ee41ef74268c9720722f6473c705583d