Advisories for Maven/Org.xwiki.platform/Xwiki-Platform-Attachment-Api package

2023

org.xwiki.platform:xwiki-platform-attachment-api vulnerable to Missing Authorization on Attachment Move

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting with the introduction of attachment move support in version 14.0-rc-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, an attacker with edit access on any document (can be the user profile which is editable by default) can move any attachment of any other document to this attacker-controlled document. This allows the attacker …