We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-38369

XWiki programming rights may be inherited by inclusion



AssignerGitHub_M
Reserved2024-06-14
Published2024-06-24
Updated2024-08-02

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The content of a document included using `{{include reference="targetdocument"/}}` is executed with the right of the includer and not with the right of its author. This means that any user able to modify the target document can impersonate the author of the content which used the `include` macro. This vulnerability has been patched in XWiki 15.0 RC1 by making the default behavior safe.



CRITICAL: 10.0CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-863: Incorrect Authorization

Product status

>= 1.5-milestone-2, < 15.0-rc-1
affected

References

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qcj3-wpgm-qpxh

cve.org CVE-2024-38369

nvd.nist.gov CVE-2024-38369

Download JSON

Share this page
https://cve.threatint.com
Subscribe to our newsletter to learn more about our work.

© Copyright 2024 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.