xwiki contains Exposed Dangerous Method or Function

Impact

org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment is returning an instance of com.xpn.xwiki.doc.XWikiAttachment. This class is not supported to be exposed to users without the programing right.
com.xpn.xwiki.api.Attachment should be used instead and takes case of checking the user’s rights before performing dangerous operations.

Patches

This has been patched in the version 14.9-rc-1 and 14.4.6.

Workarounds

There’s no workaround for this issue.

References

https://jira.xwiki.org/browse/XWIKI-20180

For more information

If you have any questions or comments about this advisory:

• Open an issue in JIRA
• Email us at security ML