CVE-2023-26478

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 14.3-rc-1 through 14.4.5 XWiki Platform versions 14.9-rc-1 and earlier, excluding 14.4.6 and later

Description The issue arises from the org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment function returning an instance of com.xpn.xwiki.doc.XWikiAttachment, which should not be exposed to users without the programing right. Instead, com.xpn.xwiki.api.Attachment should be used as it checks the user's rights before performing dangerous operations.

Recommendations For XWiki Platform versions 14.3-rc-1 through 14.4.5, update to version 14.4.6 or later. For XWiki Platform versions 14.9-rc-1 and earlier, excluding 14.4.6 and later, update to version 14.9-rc-1 or later. As a temporary workaround, consider restricting access to the org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment function until a patch is applied.