PT-2023-22205 · Xwiki · Xwiki Commons

Tmortagne

Published

2023-04-12

Updated

2023-04-25

CVE-2023-29208

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions XWiki Commons versions prior to 14.10

Description The issue concerns rights added to a document not being taken into account for viewing it once it's deleted. This specifically impacts deleted documents that contained view rights. However, view rights provided on a space of a deleted document are properly checked. The problem has been resolved by checking the rights of the current user, allowing only admins and the deleter of the document to view it.

Recommendations For versions prior to 14.10, update to XWiki 14.10 to resolve the issue by implementing the patch that checks the rights of the current user, restricting viewing of deleted documents to admins and the document's deleter.

Exploit

Fix

Exposure of Resource to Wrong Sphere

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-668

Related Identifiers

CVE-2023-29208

GHSA-4F8G-FQ6X-JQRR

Affected Products

Xwiki Commons

PT-2023-22205 · Xwiki · Xwiki Commons

CVE-2023-29208

Weakness Enumeration

Related Identifiers

Affected Products

References · 10