Authorization

2022-11-2319:15:00

PRIOn knowledge base

www.prio-n.com

authorization

xwiki

user rights

security patch

5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.4%

JSON

org.xwiki.platform:xwiki-platform-oldcore is missing authorization in User#setDisabledStatus, which may allow an incorrectly authorized user with only Script rights to enable or disable a user. This operation is meant to only be available for users with admin rights. This problem has been patched in XWiki 13.10.7, 14.4.2 and 14.5RC1.

CPENameOperatorVersion
xwikigt14.0.0
xwikilt14.4.2
xwikieq11.7 rc1
xwikigt11.7
xwikilt13.10.7
xwikieq14.4.3
xwikieq14.4.4

Name	Operator	Version
xwiki	gt	14.0.0
xwiki	lt	14.4.2
xwiki	eq	11.7 rc1
xwiki	gt	11.7
xwiki	lt	13.10.7
xwiki	eq	14.4.3
xwiki	eq	14.4.4

References

github.com/xwiki/xwiki-platform/commit/0b732f2ef0224e2aaf10e2e1ef48dbd3fb6e10cd

github.com/xwiki/xwiki-platform/security/advisories/GHSA-2gj2-vj98-j2qq

jira.xwiki.org/browse/XWIKI-19804