Base Score

HIGH8.1

CVE-2022-24821

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Simple users can create global SSX/JSX without specific rights: in theory only users with Programming Rights should be allowed to create SSX or JSX that are executed everywhere on a wiki. But a bug allow anyone with edit rights to actually create those. This issue has been patched in XWiki 13.10-rc-1, 12.10.11 and 13.4.6. There's no easy workaround for this issue, administrators should upgrade their wiki.

VectorNETWORK

Published Bysecurity-advisories@github.com

Published DateApr 08, 2022, 19:15

Affected Versions(3)

org.xwiki.platform:xwiki-platform-skin-skinx(Maven)

Introduced13.5.0

Fixed13.10

LimitN/A

org.xwiki.platform:xwiki-platform-skin-skinx(Maven)

Introduced0

Fixed12.10.11

LimitN/A

org.xwiki.platform:xwiki-platform-skin-skinx(Maven)

Introduced13.0.0

Fixed13.4.6

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.xwiki.platform:xwiki-platform-skin-skinx(Maven)	13.5.0	13.10	N/A
org.xwiki.platform:xwiki-platform-skin-skinx(Maven)	0	12.10.11	N/A
org.xwiki.platform:xwiki-platform-skin-skinx(Maven)	13.0.0	13.4.6	N/A

Weakness Type (CWE):CWE-648

CVSS Metrics

Base Score

8.1

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

NONE

References

Base Score

HIGH8.1

Weakness Type (CWE):CWE-648

CVSS Metrics

Base Score

8.1

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

NONE