Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-41930: XWIKI-19792: User should not be able to disable themselves · xwiki/xwiki-platform@5be1cc0

org.xwiki.platform:xwiki-platform-user-profile-ui is missing authorization to enable or disable users. Any user (logged in or not) with access to the page XWiki.XWikiUserProfileSheet can enable or disable any user profile. This might allow to a disabled user to re-enable themselves, or to an attacker to disable any user of the wiki. The problem has been patched in XWiki 13.10.7, 14.5RC1 and 14.4.2.

Workarounds: The problem can be patched immediately by editing the page XWiki.XWikiUserProfileSheet in the wiki and by performing the changes contained in https://github.com/xwiki/xwiki-platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa.

CVE
Open in Source
#csrf#git#auth

@@ -37,9 +37,10 @@

<syntaxId>xwiki/2.0</syntaxId>

<hidden>true</hidden>

<content>{{velocity}}

#if (“$!request.userId” != “” && ($request.action == “disable” || $request.action == “enable”) && $services.csrf.isTokenValid($request.csrf))

#if ($hasAdmin && “$!request.userId” != “” && ($request.action == “disable” || $request.action == “enable”) && $services.csrf.isTokenValid($request.csrf))

#set ($user = $xwiki.getUser($request.userId))

#if ($user.getUser().exists($xcontext.context))

#set ($isCurrentUser = $user.getUser().userReference.equals($xcontext.userReference))

#if (!$isCurrentUser && $user.getUser().exists($xcontext.context))

#set ($disabled = ($request.action == “disable”))

#set ($discard = $user.setDisabledStatus($disabled))

#set ($success = ($disabled && $user.isDisabled()) || (!$disabled && !$user.isDisabled()))

Related news

GHSA-p5v9-g8w8-5q4v: Missing Authorization to enable or disable users in org.xwiki.platform:xwiki-platform-user-profile-ui

### Impact Any user (logged in or not) with access to the page XWiki.XWikiUserProfileSheet can enable or disable any user profile. This might allow to a disabled user to re-enable themselves, or to an attacker to disable any user of the wiki. ### Patches The problem has been patched in XWiki 13.10.7, 14.5RC1 and 14.4.2. ### Workarounds The problem can be patched immediately by editing the page `XWiki.XWikiUserProfileSheet` in the wiki and by performing the changes contained in https://github.com/xwiki/xwiki-platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa. ### References * https://github.com/xwiki/xwiki-platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa * https://jira.xwiki.org/browse/XWIKI-19792 ### For more information If you have any questions or comments about this advisory: * Open an issue in [JIRA](https://jira.xwiki.org) * Email us at [security ML](mailto:[email protected])

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE