Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-8692-g6g9-gm5p: xwiki contains Exposed Dangerous Method or Function

Impact

org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment is returning an instance of com.xpn.xwiki.doc.XWikiAttachment. This class is not supported to be exposed to users without the programing right. com.xpn.xwiki.api.Attachment should be used instead and takes case of checking the user’s rights before performing dangerous operations.

Patches

This has been patched in the version 14.9-rc-1 and 14.4.6.

Workarounds

There’s no workaround for this issue.

References

https://jira.xwiki.org/browse/XWIKI-20180

For more information

If you have any questions or comments about this advisory:

ghsa
Open in Source
#vulnerability#git#java#jira#maven

Package

maven org.xwiki.platform:xwiki-platform-store-filesystem-oldcore (Maven)

Affected versions

>= 14.3-rc-1, < 14.4.6

>= 14.5, < 14.9-rc-1

Patched versions

14.4.6

14.9-rc-1

Description

Impact

org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment is returning an instance of com.xpn.xwiki.doc.XWikiAttachment. This class is not supported to be exposed to users without the programing right.
com.xpn.xwiki.api.Attachment should be used instead and takes case of checking the user’s rights before performing dangerous operations.

Patches

This has been patched in the version 14.9-rc-1 and 14.4.6.

Workarounds

There’s no workaround for this issue.

References

https://jira.xwiki.org/browse/XWIKI-20180

For more information

If you have any questions or comments about this advisory:

  • Open an issue in JIRA
  • Email us at security ML

References

  • GHSA-8692-g6g9-gm5p
  • https://nvd.nist.gov/vuln/detail/CVE-2023-26478
  • xwiki/xwiki-platform@3c73c59
  • https://jira.xwiki.org/browse/XWIKI-20180

manuelleduc published to xwiki/xwiki-platform

Mar 1, 2023

Published by the National Vulnerability Database

Mar 2, 2023

Published to the GitHub Advisory Database

Mar 3, 2023

Reviewed

Mar 3, 2023

Related news

CVE-2023-26478: TemporaryAttachmentsScriptService#uploadTemporaryAttachment return an XWikiAttachment instance

XWiki Platform is a generic wiki platform. Starting in version 14.3-rc-1, `org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment` returns an instance of `com.xpn.xwiki.doc.XWikiAttachment`. This class is not supported to be exposed to users without the `programing` right. `com.xpn.xwiki.api.Attachment` should be used instead and takes case of checking the user's rights before performing dangerous operations. This has been patched in versions 14.9-rc-1 and 14.4.6. There are no known workarounds for this issue.

ghsa: Latest News

GHSA-6jrf-rcjf-245r: changedetection.io path traversal using file URI scheme without supplying hostname
ghsa