4 matches found
CVE-2022-41930 org.xwiki.platform:xwiki-platform-user-profile-ui missing authorization to enable or disable users
org.xwiki.platform:xwiki-platform-user-profile-ui is missing authorization to enable or disable users. Any user logged in or not with access to the page XWiki.XWikiUserProfileSheet can enable or disable any user profile. This might allow to a disabled user to re-enable themselves, or to an attack...
CVE-2022-41929 Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore
org.xwiki.platform:xwiki-platform-oldcore is missing authorization in UsersetDisabledStatus, which may allow an incorrectly authorized user with only Script rights to enable or disable a user. This operation is meant to only be available for users with admin rights. This problem has been patched ...
CVE-2022-41931 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in xwiki-platform-icon-ui
xwiki-platform-icon-ui is vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code 'Eval Injection'. Any user with view rights on commonly accessible documents including the icon picker macro can execute arbitrary Groovy, Python or Velocity code in XWiki due to improper...
Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore
Impact It's possible for a user with only Script rights to enable or disable a user: this operation should be only doable for users with admin rights. Patches This problem has been patched in XWiki 13.10.7, 14.4.2 and 14.5RC1. Workarounds There is no workaround other than upgrading the wiki, but...