Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-41937: Filter stream application should require programming right

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The application allows anyone with view access to modify any page of the wiki by importing a crafted XAR package. The problem has been patched in XWiki 14.6RC1, 14.6 and 13.10.8. As a workaround, setting the right of the page Filter.WebHome and making sure only the main wiki administrators can view the application installed on main wiki or edit the page and apply the changed described in commit fb49b4f.

CVE
#web#git#jira

Log inSkip to main contentSkip to sidebar

  • Dashboards

  • Projects

  • Issues

  • Give feedback to Atlassian

  • Help

    • Jira Core help
    • Keyboard Shortcuts
    • About Jira
    • Jira Credits
  • Log In

  1. XWiki Platform
  2. XWIKI-19758

Log In

Closed

Export

XMLWordPrintable

Details

  • **Type: ** Bug

  • Resolution: Fixed

  • **Priority: ** Blocker

  • Fix Version/s: 14.6-rc-1, 13.10.8, 14.4.3

  • Affects Version/s: 6.0-milestone-2, 5.4.4

  • Component/s: Filter - UI

  • Labels:

    • attack_escalation
    • attacker_view
    • bugfixingday
    • security
  • Difficulty:

    Unknown

  • Documentation:

    https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-q6jp-gcww-8v2j

  • Documentation in Release Notes:

    N/A

  • Similar issues:

Description

The API is protected, but the application allow anyone to use it provided it was installed by someone having programming right…

The workaround is to uninstall the application when you are done with it.

Attachments

Activity

People

Assignee:

Thomas Mortagne

Reporter:

Thomas Mortagne

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

23/May/22 18:03

Updated:

Yesterday 10:27

Resolved:

30/Jun/22 17:55

Related news

GHSA-q6jp-gcww-8v2j: Missing Authorization in Filter Stream Converter Application

### Impact The application allow anyone with view access to modify any page of the wiki by importing a crafted XAR package. ### Patches The problem has been patched in XWiki 14.6RC1, 14.6 and 13.10.8. ### Workarounds The problem can be patched immediately by setting the right of the page Filter.WebHome and making sure only main wiki administrators can VIEW it the application is installed on main wiki or edit the page and apply the changed described on https://github.com/xwiki/xwiki-platform/commit/fb49b4f289ee28e45cfada8e97e320cd3ed27113. ### References * https://github.com/xwiki/xwiki-platform/commit/fb49b4f289ee28e45cfada8e97e320cd3ed27113 * https://jira.xwiki.org/browse/XWIKI-19758 ### For more information If you have any questions or comments about this advisory: * Open an issue in [JIRA](https://jira.xwiki.org) * Email us at [security ML](mailto:[email protected])

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907