First published: Fri Apr 08 2022(Updated: )
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Simple users can create global SSX/JSX without specific rights: in theory only users with Programming Rights should be allowed to create SSX or JSX that are executed everywhere on a wiki. But a bug allow anyone with edit rights to actually create those. This issue has been patched in XWiki 13.10-rc-1, 12.10.11 and 13.4.6. There's no easy workaround for this issue, administrators should upgrade their wiki.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
XWiki | >=12.0.0<12.10.11 | |
XWiki | >=13.4.0<13.4.6 | |
XWiki | =13.10 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-24821 has been classified as a high severity vulnerability due to improper access control that allows unauthorized users to create global scripts.
To fix CVE-2022-24821, update XWiki to the latest version that addresses this vulnerability.
CVE-2022-24821 affects XWiki versions from 12.0.0 to 12.10.11, and from 13.4.0 to 13.4.6, as well as version 13.10.
The potential impacts of CVE-2022-24821 include unauthorized script execution and possible compromise of the XWiki platform.
Yes, CVE-2022-24821 can be exploited remotely by users lacking appropriate permissions.