CVE-2022-41929
published 2022-11-23CVE-2022-41929: org.xwiki.platform:xwiki-platform-oldcore is missing authorization in User#setDisabledStatus, which may allow an incorrectly authorized user with only Script…
PriorityP424medium4.9CVSS 3.1
AVNACLPRHUINSUCNIHAN
EPSS
0.71%
49.1th percentile
org.xwiki.platform:xwiki-platform-oldcore is missing authorization in User#setDisabledStatus, which may allow an incorrectly authorized user with only Script rights to enable or disable a user. This operation is meant to only be available for users with admin rights. This problem has been patched in XWiki 13.10.7, 14.4.2 and 14.5RC1.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | < 13.10.7 | 13.10.7 |
| xwiki | xwiki | < 14.4.2 | 14.4.2 |
| xwiki | xwiki | — | — |
| xwiki | xwiki | — | — |
| xwiki | xwiki | — | — |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore
ghsa·2022-11-21
CVE-2022-41929 [MEDIUM] CWE-862 Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore
Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore
### Impact
It's possible for a user with only Script rights to enable or disable a user: this operation should be only doable for users with admin rights.
### Patches
This problem has been patched in XWiki 13.10.7, 14.4.2 and 14.5RC1.
### Workarounds
There is no workaround other than upgrading the wiki, but note that this only impacts users with Script rights: administrator should take care which users have such right.
### References
* https://jira.xwiki.org/browse/XWIKI-19804
* https://github.com/xwiki/xwiki-platform/commit/0b732f2ef0224e2aaf10e2e1ef48dbd3fb6e10cd
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [JIRA](https://jira.xwi
OSV
Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore
osv·2022-11-21
CVE-2022-41929 [MEDIUM] Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore
Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore
### Impact
It's possible for a user with only Script rights to enable or disable a user: this operation should be only doable for users with admin rights.
### Patches
This problem has been patched in XWiki 13.10.7, 14.4.2 and 14.5RC1.
### Workarounds
There is no workaround other than upgrading the wiki, but note that this only impacts users with Script rights: administrator should take care which users have such right.
### References
* https://jira.xwiki.org/browse/XWIKI-19804
* https://github.com/xwiki/xwiki-platform/commit/0b732f2ef0224e2aaf10e2e1ef48dbd3fb6e10cd
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [JIRA](https://jira.xwi
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/xwiki/xwiki-platform/commit/0b732f2ef0224e2aaf10e2e1ef48dbd3fb6e10cdhttps://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2gj2-vj98-j2qqhttps://jira.xwiki.org/browse/XWIKI-19804https://github.com/xwiki/xwiki-platform/commit/0b732f2ef0224e2aaf10e2e1ef48dbd3fb6e10cdhttps://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2gj2-vj98-j2qqhttps://jira.xwiki.org/browse/XWIKI-19804
2022-11-23
Published