9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
7 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
14.2%
The content of a document included using {{include reference="targetdocument"/}}
is executed with the right of the includer and not with the right of its author.
This means that any user able to modify the target document can impersonate the author of the content which used the include
macro.
This has been patched in XWiki 15.0 RC1 by making the default behavior safe.
Make sure to protect any included document to make sure only allowed users can modify it.
A workaround have been provided in 14.10.2 to allow forcing to execute the included content with the target content author instead of the default behavior. See https://extensions.xwiki.org/xwiki/bin/view/Extension/Include Macro#HAuthor for more details.
https://jira.xwiki.org/browse/XWIKI-5027
https://jira.xwiki.org/browse/XWIKI-20471
If you have any questions or comments about this advisory:
github.com/xwiki/xwiki-platform
github.com/xwiki/xwiki-platform/commit/0a4f9b026ba9931516b4e9b3019da8da838c7ac6
github.com/xwiki/xwiki-platform/commit/b48116a3ebe9ce928c401b5d068d4db7e7239575
github.com/xwiki/xwiki-platform/commit/c1fb14402ce2ee569c5a8e3f1f8e64ae45dfbfb0
github.com/xwiki/xwiki-platform/commit/d1a84a3eea38305ff8e10ba411910c0675ac157c
github.com/xwiki/xwiki-platform/commit/f627abe2dc39b07ff75fe68398cc8a1bbc743ef7
github.com/xwiki/xwiki-platform/security/advisories/GHSA-qcj3-wpgm-qpxh
jira.xwiki.org/browse/XWIKI-20471
jira.xwiki.org/browse/XWIKI-5027
nvd.nist.gov/vuln/detail/CVE-2024-38369
9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
7 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
14.2%