GHSA-gpq5-7p34-vqx5

Source

https://github.com/advisories/GHSA-gpq5-7p34-vqx5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-gpq5-7p34-vqx5/GHSA-gpq5-7p34-vqx5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gpq5-7p34-vqx5

Aliases

CVE-2023-29526

Published

2023-04-20T22:24:46Z

Modified

2023-11-08T04:12:20.508373Z

Severity

9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

XWiki Platform's async and display macro allow displaying and interacting with any document in restricted mode

Details

Impact

It's possible to display any page you cannot access through the combination of the async and display macro.

Steps to reproduce:

Enable comments for guests by giving guests comment rights
As a guest, create a comment with content {{async}}{{display reference="Menu.WebHome" /}}{{/async}}
Open the comments viewer from the menu (appends ?viewer=comments to the URL)

-> the Menu.WebHome is displayed while the expectation would be to have an error that the current user is not allowed to see it

Patches

The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.3, 14.4.8, and 13.10.11.

Workarounds

There is no known workaround.

References

https://jira.xwiki.org/browse/XWIKI-20394 https://jira.xwiki.org/browse/XRENDERING-694

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Database specific

{
    "nvd_published_at": "2023-04-19T00:15:09Z",
    "cwe_ids": [
        "CWE-284",
        "CWE-74"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-20T22:24:46Z"
}

References

Affected packages

Maven / org.xwiki.platform:xwiki-platform-oldcore

Package

Name: org.xwiki.platform:xwiki-platform-oldcore; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-oldcore

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.11.1

Fixed

13.10.11

Maven / org.xwiki.platform:xwiki-platform-oldcore

Package

Name: org.xwiki.platform:xwiki-platform-oldcore; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-oldcore

Affected ranges

Type: ECOSYSTEM
Events: Introduced

14.0-rc-1

Fixed

14.4.8

Maven / org.xwiki.platform:xwiki-platform-oldcore

Package

Name: org.xwiki.platform:xwiki-platform-oldcore; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-oldcore

Affected ranges

Type: ECOSYSTEM
Events: Introduced

14.5

Fixed

14.10.3

Maven / org.xwiki.platform:xwiki-platform-rendering-async-macro

Package

Name: org.xwiki.platform:xwiki-platform-rendering-async-macro; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-rendering-async-macro

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.11.1

Fixed

13.10.11

Maven / org.xwiki.platform:xwiki-platform-rendering-async-macro

Package

Name: org.xwiki.platform:xwiki-platform-rendering-async-macro; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-rendering-async-macro

Affected ranges

Type: ECOSYSTEM
Events: Introduced

14.0-rc-1

Fixed

14.4.8

Maven / org.xwiki.platform:xwiki-platform-rendering-async-macro

Package

Name: org.xwiki.platform:xwiki-platform-rendering-async-macro; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-rendering-async-macro

Affected ranges

Type: ECOSYSTEM
Events: Introduced

14.5

Fixed

14.10.3