CVE-2023-46743

Name of the Vulnerable Software and Affected Versions application-collabora versions prior to 1.3

Description The issue is related to the application-collabora integration of Collabora Online in XWiki, where the rights of a user over a document are not properly enforced. Specifically, when a user opens an attachment file in edit mode, this right is preserved for all future users until the editing session is closed, even if some of them only have view rights. The Collabora server is responsible for issuing this request, and it appears that the userCanWrite query parameter is cached.

Recommendations For versions prior to 1.3, update to version 1.3 to resolve the issue. As a temporary workaround, consider restricting access to the Collabora server or disabling the editing functionality for users with only view rights until the patch is applied.