GHSA-f4cj-3q3h-884r
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f4cj-3q3h-884r
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-f4cj-3q3h-884r/GHSA-f4cj-3q3h-884r.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-f4cj-3q3h-884r
- Aliases
- Published
- 2022-02-09T21:21:53Z
- Modified
- 2023-11-08T04:08:24.950350Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- Partial authorization bypass on document save in xwiki-platform
- Details
-
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with SCRIPT right (EDIT right before XWiki 7.4) can save a document with the right of the current user which allow accessing API requiring programming right if the current user has programming right. It has been patched in XWiki 13.0. The only workaround is to give SCRIPT right only to trusted users.
- Database specific
{ "nvd_published_at": "2022-02-09T21:15:00Z", "github_reviewed_at": "2022-02-09T21:21:53Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-863" ] }- References
Affected packages
Maven / org.xwiki.platform:xwiki-platform-oldcore
Package
- Name
- org.xwiki.platform:xwiki-platform-oldcore
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-oldcore