CVE-2022-24821

08.04.2022, 19:15

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Simple users can create global SSX/JSX without specific rights: in theory only users with Programming Rights should be allowed to create SSX or JSX that are executed everywhere on a wiki. But a bug allow anyone with edit rights to actually create those. This issue has been patched in XWiki 13.10-rc-1, 12.10.11 and 13.4.6. There's no easy workaround for this issue, administrators should upgrade their wiki.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.8 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
GitHub_M	CNA	6.8 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 70%

Vendor	Product	Version
xwiki	xwiki	12.0.0 ≤ 𝑥 < 12.10.11
xwiki	xwiki	13.4.0 ≤ 𝑥 < 13.4.6
xwiki	xwiki	13.10

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-648 - Incorrect Use of Privileged APIs
The application does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.

References

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-ghcq-472w-vf4h

https://jira.xwiki.org/browse/XWIKI-19155

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-ghcq-472w-vf4h

https://jira.xwiki.org/browse/XWIKI-19155