Lucene search

[email protected]NVD:CVE-2023-46743

HistoryNov 09, 2023 - 4:15 p.m.

CVE-2023-46743

2023-11-0916:15:34

CWE-276

[email protected]

web.nvd.nist.gov

application-collabora

xwiki

office attachments

view mode

edit mode

persistent access issue

collabora online

patch

cve-2023-46743

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

Percentile

14.0%

JSON

application-collabora is an integration of Collabora Online in XWiki. As part of the application use cases, depending on the rights that a user has over a document, they should be able to open the office attachments files in view or edit mode. Currently, if a user opens an attachment file in edit mode in collabora, this right will be preserved for all future users, until the editing session is closes, even if some of them have only view right. Collabora server is the one issuing this request and it seems that the userCanWrite query parameter is cached, even if, for example, token is not. This issue has been patched in version 1.3.

Affected configurations

Nvd

Node

xwikiapplication-collaboraRange<1.3

VendorProductVersionCPE
xwikiapplication-collabora*cpe:2.3:a:xwiki:application-collabora:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
xwiki	application-collabora	*	cpe:2.3:a:xwiki:application-collabora::::::::

References

github.com/xwikisas/application-collabora/security/advisories/GHSA-mvq3-xxg2-rj57

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

Percentile

14.0%

JSON

Related for NVD:CVE-2023-46743

cve1 osv1 prion1 cvelist1 vulnrichment1