Headline
CVE-2022-41937: Filter stream application should require programming right
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The application allows anyone with view access to modify any page of the wiki by importing a crafted XAR package. The problem has been patched in XWiki 14.6RC1, 14.6 and 13.10.8. As a workaround, setting the right of the page Filter.WebHome and making sure only the main wiki administrators can view the application installed on main wiki or edit the page and apply the changed described in commit fb49b4f.
Log inSkip to main contentSkip to sidebar
Dashboards
Projects
Issues
Give feedback to Atlassian
Help
- Jira Core help
- Keyboard Shortcuts
- About Jira
- Jira Credits
Log In
- XWiki Platform
- XWIKI-19758
Log In
Closed
Export
XMLWordPrintable
Details
**Type: ** Bug
Resolution: Fixed
**Priority: ** Blocker
Fix Version/s: 14.6-rc-1, 13.10.8, 14.4.3
Affects Version/s: 6.0-milestone-2, 5.4.4
Component/s: Filter - UI
Labels:
- attack_escalation
- attacker_view
- bugfixingday
- security
Difficulty:
Unknown
Documentation:
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-q6jp-gcww-8v2j
Documentation in Release Notes:
N/A
Similar issues:
Description
The API is protected, but the application allow anyone to use it provided it was installed by someone having programming right…
The workaround is to uninstall the application when you are done with it.
Attachments
Activity
People
Assignee:
Thomas Mortagne
Reporter:
Thomas Mortagne
Votes:
0 Vote for this issue
Watchers:
1 Start watching this issue
Dates
Created:
23/May/22 18:03
Updated:
Yesterday 10:27
Resolved:
30/Jun/22 17:55
Related news
### Impact The application allow anyone with view access to modify any page of the wiki by importing a crafted XAR package. ### Patches The problem has been patched in XWiki 14.6RC1, 14.6 and 13.10.8. ### Workarounds The problem can be patched immediately by setting the right of the page Filter.WebHome and making sure only main wiki administrators can VIEW it the application is installed on main wiki or edit the page and apply the changed described on https://github.com/xwiki/xwiki-platform/commit/fb49b4f289ee28e45cfada8e97e320cd3ed27113. ### References * https://github.com/xwiki/xwiki-platform/commit/fb49b4f289ee28e45cfada8e97e320cd3ed27113 * https://jira.xwiki.org/browse/XWIKI-19758 ### For more information If you have any questions or comments about this advisory: * Open an issue in [JIRA](https://jira.xwiki.org) * Email us at [security ML](mailto:[email protected])