Skip to content

Page content is revealed to users that don't have rights if used as a template for the creation of another page

Moderate
tmortagne published GHSA-gf7x-2j2x-7f73 Feb 9, 2022

Package

maven org.xwiki.platform:xwiki-platform-oldcore (Maven)

Affected versions

< 12.10.6, < 13.2-rc-1

Patched versions

12.10.6, 13.2-rc-1

Description

Impact

Any user with edit right can copy the content of a page it does not have access to by using it as template of a new page.

Patches

It has been patched in XWiki 13.2CR1 and 12.10.6

Workarounds

There is no workaround beside patching.

References

https://jira.xwiki.org/browse/XWIKI-18430

For more information

If you have any questions or comments about this advisory:

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE ID

CVE-2022-23617

Weaknesses