Lucene search

GitHub_MCVELIST:CVE-2022-41929

HistoryNov 23, 2022 - 12:00 a.m.

CVE-2022-41929 Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore

2022-11-2300:00:00

CWE-862

GitHub_M

www.cve.org

xwiki 13.10.7

xwiki 14.4.2

xwiki 14.5rc1

user authorization

user#setdisabledstatus

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

5.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.4%

JSON

org.xwiki.platform:xwiki-platform-oldcore is missing authorization in User#setDisabledStatus, which may allow an incorrectly authorized user with only Script rights to enable or disable a user. This operation is meant to only be available for users with admin rights. This problem has been patched in XWiki 13.10.7, 14.4.2 and 14.5RC1.

CNA Affected

[
  {
    "vendor": "xwiki",
    "product": "xwiki-platform",
    "versions": [
      {
        "version": ">= 11.7RC1, < 13.10.7",
        "status": "affected"
      },
      {
        "version": ">= 14.0.0, < 14.4.2",
        "status": "affected"
      }
    ]
  }
]

References

github.com/xwiki/xwiki-platform/commit/0b732f2ef0224e2aaf10e2e1ef48dbd3fb6e10cd

github.com/xwiki/xwiki-platform/security/advisories/GHSA-2gj2-vj98-j2qq

jira.xwiki.org/browse/XWIKI-19804

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

5.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.4%

JSON

Related for CVELIST:CVE-2022-41929