CVE-2022-41929

Sažetak

org.xwiki.platform:xwiki-platform-oldcore is missing authorization in User#setDisabledStatus, which may allow an incorrectly authorized user with only Script rights to enable or disable a user. This operation is meant to only be available for users with admin rights. This problem has been patched in XWiki 13.10.7, 14.4.2 and 14.5RC1.

Reference

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2gj2-vj98-j2qq
https://github.com/xwiki/xwiki-platform/commit/0b732f2ef0224e2aaf10e2e1ef48dbd3fb6e10cd
https://jira.xwiki.org/browse/XWIKI-19804

CVSS

Base:	4.9
Impact:	3.6
Exploitability:	1.2

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	-

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	HIGH	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Zadnje važnije ažuriranje

30-11-2022 - 16:48

Objavljeno

23-11-2022 - 19:15