4.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
26.4%
It’s possible for a user with only Script rights to enable or disable a user: this operation should be only doable for users with admin rights.
This problem has been patched in XWiki 13.10.7, 14.4.2 and 14.5RC1.
There is no workaround other than upgrading the wiki, but note that this only impacts users with Script rights: administrator should take care which users have such right.
If you have any questions or comments about this advisory: