CVE-2022-41930

Опубликовано: 23 нояб. 2022

Источник: nvd

CVSS3: 7.5

CVSS3: 8.2

EPSS Низкий

Описание

org.xwiki.platform:xwiki-platform-user-profile-ui is missing authorization to enable or disable users. Any user (logged in or not) with access to the page XWiki.XWikiUserProfileSheet can enable or disable any user profile. This might allow to a disabled user to re-enable themselves, or to an attacker to disable any user of the wiki. The problem has been patched in XWiki 13.10.7, 14.5RC1 and 14.4.2. Workarounds: The problem can be patched immediately by editing the page XWiki.XWikiUserProfileSheet in the wiki and by performing the changes contained in https://github.com/xwiki/xwiki-platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa.

Ссылки

https://github.com/xwiki/xwiki-platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa
Patch
Third Party Advisory
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p5v9-g8w8-5q4v
Patch
Third Party Advisory
https://jira.xwiki.org/browse/XWIKI-19792
Exploit
Issue Tracking
Vendor Advisory
https://github.com/xwiki/xwiki-platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa
Patch
Third Party Advisory
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p5v9-g8w8-5q4v
Patch
Third Party Advisory
https://jira.xwiki.org/browse/XWIKI-19792
Exploit
Issue Tracking
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

Версия от 12.4 (включая) до 13.10.7 (исключая)

cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

Версия от 14.0.0 (включая) до 14.4.2 (исключая)

cpe:2.3:a:xwiki:xwiki:14.4.3:*:*:*:*:*:*:*

cpe:2.3:a:xwiki:xwiki:14.4.4:*:*:*:*:*:*:*

EPSS

Процентиль: 76%

0.00929

Низкий

7.5 High

CVSS3

8.2 High

CVSS3

Дефекты

CWE-862

Связанные уязвимости

GHSA-p5v9-g8w8-5q4v

CVSS3: 9.1

github

около 3 лет назад

Missing Authorization to enable or disable users in org.xwiki.platform:xwiki-platform-user-profile-ui

EPSS

Процентиль: 76%

0.00929

Низкий

7.5 High

CVSS3

8.2 High

CVSS3

Дефекты

CWE-862