Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-23615

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can save a document with the right of the current user which allow accessing API requiring programming right if the current user has programming right. This has been patched in XWiki 13.0. Users are advised to update to resolve this issue. The only known workaround is to limit SCRIPT access.

Published

2022-02-09T21:15:07.813

Last Modified

2024-11-21T06:48:56.340

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.4 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

4.9

Weaknesses

Type: Secondary
CWE-863
Type: Primary
CWE-863

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	xwiki	xwiki	< 13.0	Yes

References

https://github.com/xwiki/xwiki-platform/commit/7ab0fe7b96809c7a3881454147598d46a1c9bbbe Patch, Third Party Advisory ([email protected])
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f4cj-3q3h-884r Third Party Advisory ([email protected])
https://jira.xwiki.org/browse/XWIKI-5024 Patch, Vendor Advisory ([email protected])
https://github.com/xwiki/xwiki-platform/commit/7ab0fe7b96809c7a3881454147598d46a1c9bbbe Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f4cj-3q3h-884r Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://jira.xwiki.org/browse/XWIKI-5024 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)