CVE-2023-37910

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 14.0-rc-1 through 14.4.7 XWiki Platform versions 14.0-rc-1 through 14.10.3 XWiki Platform versions 14.0-rc-1 through 14.9.x XWiki Platform version 15.0-rc-1 is not affected, but versions prior to it are

Description The issue is related to errors in authorization, allowing a remote attacker to edit arbitrary documents. An attacker with edit access on any document can move any attachment of any other document to this attacker-controlled document, accessing and possibly publishing any attachment of which the name is known, regardless of view or edit rights on the source document. The attachment is deleted from the source document.

Recommendations For XWiki Platform versions 14.0-rc-1 through 14.4.7, upgrade to version 14.4.8. For XWiki Platform versions 14.0-rc-1 through 14.10.3, upgrade to version 14.10.4. For XWiki Platform versions 14.0-rc-1 through 14.9.x, upgrade to a fixed version. As a temporary workaround, consider restricting access to the attachment move feature until a patch is available.