What is the vulnerability ID for this vulnerability?

The vulnerability ID for this vulnerability is CVE-2023-26478.

What is the severity of CVE-2023-26478?

The severity of CVE-2023-26478 is high, with a CVSS score of 8.1.

What is the description of CVE-2023-26478?

CVE-2023-26478 is a vulnerability in XWiki Platform where starting in version 14.3-rc-1, a certain script service method exposes a class that should not be accessible without proper permissions.

Which version of XWiki Platform is affected by CVE-2023-26478?

Versions 14.3-rc-1 to 14.4.6 and versions 14.5 to 14.9 of XWiki Platform are affected by CVE-2023-26478.

How can CVE-2023-26478 be fixed?

To fix CVE-2023-26478, users should update to a version of XWiki Platform that is not affected by the vulnerability, such as versions after 14.9.

Vulnerability/
CVE-2023-26478

high

8.1

CWE

749

2/3/2023

2/8/2024

CVE-2023-26478: org.xwiki.platform:xwiki-platform-store-filesystem-oldcore has Exposed Dangerous Method or Function

First published: Thu Mar 02 2023(Updated: )

XWiki Platform is a generic wiki platform. Starting in version 14.3-rc-1, `org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment` returns an instance of `com.xpn.xwiki.doc.XWikiAttachment`. This class is not supported to be exposed to users without the `programing` right. `com.xpn.xwiki.api.Attachment` should be used instead and takes case of checking the user's rights before performing dangerous operations. This has been patched in versions 14.9-rc-1 and 14.4.6. There are no known workarounds for this issue.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Xwiki Xwiki	>=14.3<14.4.6
Xwiki Xwiki	>=14.5<14.9

Remedy

https://github.com/xwiki/xwiki-platform/commit/3c73c59e39b6436b1074d8834cf276916010014d

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the vulnerability ID for this vulnerability?
The vulnerability ID for this vulnerability is CVE-2023-26478.
What is the severity of CVE-2023-26478?
The severity of CVE-2023-26478 is high, with a CVSS score of 8.1.
What is the description of CVE-2023-26478?
CVE-2023-26478 is a vulnerability in XWiki Platform where starting in version 14.3-rc-1, a certain script service method exposes a class that should not be accessible without proper permissions.
Which version of XWiki Platform is affected by CVE-2023-26478?
Versions 14.3-rc-1 to 14.4.6 and versions 14.5 to 14.9 of XWiki Platform are affected by CVE-2023-26478.
How can CVE-2023-26478 be fixed?
To fix CVE-2023-26478, users should update to a version of XWiki Platform that is not affected by the vulnerability, such as versions after 14.9.

collector/nvd-index
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/weakness
agent/title
agent/references
agent/remedy
agent/severity
agent/last-modified-date
agent/author
agent/description
agent/first-publish-date
agent/event
agent/tags
vendor/xwiki
canonical/xwiki xwiki
version/xwiki xwiki/14.3
version/xwiki xwiki/14.5

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.