Lucene search

GitHub_MCVELIST:CVE-2022-24821

HistoryApr 08, 2022 - 6:55 p.m.

CVE-2022-24821 Incorrect Use of Privileged APIs in org.xwiki.platform.skin.skinx

2022-04-0818:55:10

CWE-648

GitHub_M

www.cve.org

6.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

8.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.4%

JSON

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Simple users can create global SSX/JSX without specific rights: in theory only users with Programming Rights should be allowed to create SSX or JSX that are executed everywhere on a wiki. But a bug allow anyone with edit rights to actually create those. This issue has been patched in XWiki 13.10-rc-1, 12.10.11 and 13.4.6. There’s no easy workaround for this issue, administrators should upgrade their wiki.

CNA Affected

[
  {
    "product": "xwiki-platform",
    "vendor": "xwiki",
    "versions": [
      {
        "status": "affected",
        "version": "> 3.1M1"
      }
    ]
  }
]

References

github.com/xwiki/xwiki-platform/security/advisories/GHSA-ghcq-472w-vf4h

jira.xwiki.org/browse/XWIKI-19155

6.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

8.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.4%

JSON

Related for CVELIST:CVE-2022-24821