ghsa-8692-g6g9-gm5p
Vulnerability from github
Published
2023-03-03 22:52
Modified
2023-03-03 22:52
Severity ?
Summary
xwiki contains Exposed Dangerous Method or Function
Details
Impact
org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment is returning an instance of com.xpn.xwiki.doc.XWikiAttachment. This class is not supported to be exposed to users without the programing right.
com.xpn.xwiki.api.Attachment should be used instead and takes case of checking the user's rights before performing dangerous operations.
Patches
This has been patched in the version 14.9-rc-1 and 14.4.6.
Workarounds
There's no workaround for this issue.
References
https://jira.xwiki.org/browse/XWIKI-20180
For more information
If you have any questions or comments about this advisory:
- Open an issue in JIRA
- Email us at security ML
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-store-filesystem-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "14.3-rc-1"
},
{
"fixed": "14.4.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-store-filesystem-oldcore"
},
"ranges": [
{
"events": [
{
"introduced": "14.5"
},
{
"fixed": "14.9-rc-1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-26478"
],
"database_specific": {
"cwe_ids": [
"CWE-749"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-03T22:52:47Z",
"nvd_published_at": "2023-03-02T18:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n`org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment` is returning an instance of `com.xpn.xwiki.doc.XWikiAttachment`. This class is not supported to be exposed to users without the `programing` right.\n`com.xpn.xwiki.api.Attachment` should be used instead and takes case of checking the user\u0027s rights before performing dangerous operations.\n\n### Patches\nThis has been patched in the version 14.9-rc-1 and 14.4.6.\n\n### Workarounds\nThere\u0027s no workaround for this issue.\n\n### References\nhttps://jira.xwiki.org/browse/XWIKI-20180\n\n### For more information\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [JIRA](https://jira.xwiki.org/)\n* Email us at [security ML](mailto:security@xwiki.org)\n",
"id": "GHSA-8692-g6g9-gm5p",
"modified": "2023-03-03T22:52:47Z",
"published": "2023-03-03T22:52:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8692-g6g9-gm5p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26478"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/3c73c59e39b6436b1074d8834cf276916010014d"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-20180"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "xwiki contains Exposed Dangerous Method or Function"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.