XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking rights. The problem has been patched in XWiki 14.10 and 14.4.7 by returning a safe script API.
References
Link | Resource |
---|---|
https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83 | Patch |
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c | Vendor Advisory |
https://jira.xwiki.org/browse/XWIKI-20380 | Issue Tracking |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-04-16T06:52:19.020Z
Updated: 2023-04-16T06:52:19.020Z
Reserved: 2023-04-07T18:56:54.626Z
Link: CVE-2023-29507
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-04-16T07:15:53.187
Modified: 2023-04-26T17:51:42.617
Link: CVE-2023-29507
JSON object: View
Redhat Information
No data.
CWE