GHSA-2gj2-vj98-j2qq

Suggest an improvement
Source
https://github.com/advisories/GHSA-2gj2-vj98-j2qq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-2gj2-vj98-j2qq/GHSA-2gj2-vj98-j2qq.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-2gj2-vj98-j2qq
Aliases
Published
2022-11-21T22:35:22Z
Modified
2023-11-01T05:00:06.569326Z
Severity
  • 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore
Details

Impact

It's possible for a user with only Script rights to enable or disable a user: this operation should be only doable for users with admin rights.

Patches

This problem has been patched in XWiki 13.10.7, 14.4.2 and 14.5RC1.

Workarounds

There is no workaround other than upgrading the wiki, but note that this only impacts users with Script rights: administrator should take care which users have such right.

References

  • https://jira.xwiki.org/browse/XWIKI-19804
  • https://github.com/xwiki/xwiki-platform/commit/0b732f2ef0224e2aaf10e2e1ef48dbd3fb6e10cd

For more information

If you have any questions or comments about this advisory: * Open an issue in JIRA * Email us at security ML

Database specific
{
    "nvd_published_at": "2022-11-23T19:15:00Z",
    "github_reviewed_at": "2022-11-21T22:35:22Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-862"
    ]
}
References

Affected packages

Maven / org.xwiki.platform:xwiki-platform-oldcore

Package

Name
org.xwiki.platform:xwiki-platform-oldcore
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-oldcore

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.7RC1
Fixed
13.10.7

Maven / org.xwiki.platform:xwiki-platform-oldcore

Package

Name
org.xwiki.platform:xwiki-platform-oldcore
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-oldcore

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14.0.0
Fixed
14.4.2