Anca Luca

**Name of the Vulnerable Software and Affected Versions** XWiki Platform Old Core versions 11.3.7 through 12.0RC1 XWiki Platform Old Core version 11.0.3 **Description** A bug in XWikiRights resolution of groups can be exploited to obtain privilege escalation. Editing a right with the object editor leads to adding a supplementary empty value to groups, which is then resolved as a reference to XWiki.WebHome page. Adding an XWikiGroup xobject to that page transforms it to a group, and any user put in that group would then obtain the privileges related to the edited right. This issue is normally mitigated by the fact that XWiki.WebHome should be protected by default for edit rights. **Recommendations** For XWiki Platform Old Core versions 11.3.7 through 12.0RC1, update to version 13.10.4 or later to patch the issue. For XWiki Platform Old Core version 11.0.3, update to version 13.10.4 or later to patch the issue. As a temporary workaround, set appropriate rights on XWiki.WebHome page to prevent users from editing it.