GHSA-8C52-X9W7-VC95 XWiki view file macro: User can view content of office file without view rights on the attachment

Summary A user with no view rights on a page may see the content of an office attachment displayed with the view file macro. Details If on a public page is displayed an office attachment from a restricted page, a user with no view rights on the restricted page can view the attachment content, no...

PT-2025-47417

Name of the Vulnerable Software and Affected Versions XWiki versions prior to 1.27.0 Description A user lacking view permissions on a page may be able to access the content of an office attachment displayed using the view file macro. This occurs when an office attachment from a restricted page is...