Skip to content

Incorrect Use of Privileged APIs in org.xwiki.platform.skin.skinx

Moderate
surli published GHSA-ghcq-472w-vf4h Apr 8, 2022

Package

maven org.xwiki.platform.skin.skinx (Maven)

Affected versions

> 3.1M1

Patched versions

13.10RC1, 12.10.11, 13.4.6

Description

Impact

Simple users can create global SSX/JSX without specific rights: in theory only users with Programming Rights should be allowed to create SSX or JSX that are executed everywhere on a wiki. But a bug allow anyone with edit rights to actually create those.

Patches

This issue has been patched in XWiki 13.10-rc-1, 12.10.11 and 13.4.6.

Workarounds

There's no easy workaround for this issue, administrators should upgrade their wiki.

References

https://jira.xwiki.org/browse/XWIKI-19155

For more information

If you have any questions or comments about this advisory:

Severity

Moderate
6.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

CVE ID

CVE-2022-24821

Weaknesses