CVE-2024-38369: XWiki programming rights may be inherited by inclusion
The content of a document included using {{include reference="targetdocument"/}} is executed with the right of the includer and not with the right of its author.
This means that any user able to modify the target document can impersonate the author of the content which used the include macro.
References
- github.com/advisories/GHSA-qcj3-wpgm-qpxh
- github.com/xwiki/xwiki-platform
- github.com/xwiki/xwiki-platform/commit/0a4f9b026ba9931516b4e9b3019da8da838c7ac6
- github.com/xwiki/xwiki-platform/commit/b48116a3ebe9ce928c401b5d068d4db7e7239575
- github.com/xwiki/xwiki-platform/commit/c1fb14402ce2ee569c5a8e3f1f8e64ae45dfbfb0
- github.com/xwiki/xwiki-platform/commit/d1a84a3eea38305ff8e10ba411910c0675ac157c
- github.com/xwiki/xwiki-platform/commit/f627abe2dc39b07ff75fe68398cc8a1bbc743ef7
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-qcj3-wpgm-qpxh
- jira.xwiki.org/browse/XWIKI-20471
- jira.xwiki.org/browse/XWIKI-5027
- nvd.nist.gov/vuln/detail/CVE-2024-38369
Detect and mitigate CVE-2024-38369 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →