
We found results for “”
CVE-2023-26478
Good to know:

Date: March 2, 2023
XWiki Platform is a generic wiki platform. Starting in version 14.3-rc-1, "org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment" returns an instance of "com.xpn.xwiki.doc.XWikiAttachment". This class is not supported to be exposed to users without the "programing" right. "com.xpn.xwiki.api.Attachment" should be used instead and takes case of checking the user's rights before performing dangerous operations. This has been patched in versions 14.9-rc-1 and 14.4.6. There are no known workarounds for this issue.
Language: Java
Severity Score
Related Resources (6)
Severity Score
Weakness Type (CWE)
Exposed Dangerous Method or Function
CWE-749Top Fix

Upgrade Version
Upgrade to version org.xwiki.platform:xwiki-platform-store-filesystem-oldcore:14.4.6;org.xwiki.platform:xwiki-platform-store-filesystem-oldcore:14.9-rc-1
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | HIGH |
User Interaction (UI): | NONE |
Scope (S): | CHANGED |
Confidentiality (C): | LOW |
Integrity (I): | LOW |
Availability (A): | LOW |