GHSA-8692-g6g9-gm5p
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8692-g6g9-gm5p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-8692-g6g9-gm5p/GHSA-8692-g6g9-gm5p.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8692-g6g9-gm5p
- Aliases
- Published
- 2023-03-03T22:52:47Z
- Modified
- 2023-11-08T04:12:01.777904Z
- Severity
-
- 6.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L CVSS Calculator
- Summary
- xwiki contains Exposed Dangerous Method or Function
- Details
-
Impact
org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachmentis returning an instance ofcom.xpn.xwiki.doc.XWikiAttachment. This class is not supported to be exposed to users without theprogramingright.com.xpn.xwiki.api.Attachmentshould be used instead and takes case of checking the user's rights before performing dangerous operations.Patches
This has been patched in the version 14.9-rc-1 and 14.4.6.
Workarounds
There's no workaround for this issue.
References
https://jira.xwiki.org/browse/XWIKI-20180
For more information
If you have any questions or comments about this advisory:
- Open an issue in JIRA
- Email us at security ML
- Database specific
{ "nvd_published_at": "2023-03-02T18:15:00Z", "github_reviewed_at": "2023-03-03T22:52:47Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-749" ] }- References
Affected packages
Maven / org.xwiki.platform:xwiki-platform-store-filesystem-oldcore
Package
- Name
- org.xwiki.platform:xwiki-platform-store-filesystem-oldcore
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-store-filesystem-oldcore
Maven / org.xwiki.platform:xwiki-platform-store-filesystem-oldcore
Package
- Name
- org.xwiki.platform:xwiki-platform-store-filesystem-oldcore
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-store-filesystem-oldcore