Bruhbey

**Name of the Vulnerable Software and Affected Versions** Kiteworks versions prior to 9.3.0 **Description** Kiteworks is a private data network (PDN). An Insecure Direct Object Reference (IDOR)—a flaw where an application provides direct access to objects based on user-supplied input—exists in Kiteworks Secure Data Forms. This allows an authenticated user to modify resources belonging to other users because of insufficient authorization checks on resource ownership. **Recommendations** Upgrade to version 9.3.0 or later.

**Name of the Vulnerable Software and Affected Versions** OpenProject versions prior to 17.0.5 OpenProject versions prior to 17.1.2 **Description** OpenProject is a web-based project management software. An attacker can create wiki pages for projects they are not authorized to access by sending an improperly authenticated request. **Recommendations** Update to OpenProject version 17.0.5 or later. Update to OpenProject version 17.1.2 or later.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 13.2-rc-1 through 14.10.20 XWiki Platform versions 15.0.0 through 15.5.4 XWiki Platform versions 15.10.0 XWiki Platform versions 16.0.0 before 16.0RC1 **Description** The issue allows access to notification filters of any user by using a URL such as `<hostname>xwiki/bin/get/XWiki/Notifications/Code/NotificationFilterPreferenceLivetableResults?outputSyntax=plain&type=custom&user=<username>`. The filters mainly contain references which are public data in XWiki, but some information could be used in combination with other vulnerabilities. **Recommendations** For XWiki Platform versions 13.2-rc-1 through 14.10.20, upgrade to version 14.10.21 or later. For XWiki Platform versions 15.0.0 through 15.5.4, upgrade to version 15.5.5 or later. For XWiki Platform version 15.10.0, upgrade to version 15.10.1 or later. For XWiki Platform versions 16.0.0 before 16.0RC1, upgrade to version 16.0RC1 or later. As a temporary workaround, an administrator can edit directly the document `XWiki.Notifications.Code.NotificationFilterPreferenceLivetableResults` to apply the same changes as in the patch.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 14.0-rc-1 through 14.4.7 XWiki Platform versions 14.0-rc-1 through 14.10.3 XWiki Platform versions 14.0-rc-1 through 14.9.x XWiki Platform version 15.0-rc-1 is not affected, but versions prior to it are **Description** The issue is related to errors in authorization, allowing a remote attacker to edit arbitrary documents. An attacker with edit access on any document can move any attachment of any other document to this attacker-controlled document, accessing and possibly publishing any attachment of which the name is known, regardless of view or edit rights on the source document. The attachment is deleted from the source document. **Recommendations** For XWiki Platform versions 14.0-rc-1 through 14.4.7, upgrade to version 14.4.8. For XWiki Platform versions 14.0-rc-1 through 14.10.3, upgrade to version 14.10.4. For XWiki Platform versions 14.0-rc-1 through 14.9.x, upgrade to a fixed version. As a temporary workaround, consider restricting access to the attachment move feature until a patch is available.