CVE-2023-26478: xwiki contains Exposed Dangerous Method or Function

March 3, 2023

XWiki Platform is a generic wiki platform. Starting in version 14.3-rc-1, org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment returns an instance of com.xpn.xwiki.doc.XWikiAttachment. This class is not supported to be exposed to users without the programing right. com.xpn.xwiki.api.Attachment should be used instead and takes case of checking the user’s rights before performing dangerous operations. This has been patched in versions 14.9-rc-1 and 14.4.6. There are no known workarounds for this issue.

References

github.com/advisories/GHSA-8692-g6g9-gm5p
github.com/xwiki/xwiki-platform/commit/3c73c59e39b6436b1074d8834cf276916010014d
github.com/xwiki/xwiki-platform/security/advisories/GHSA-8692-g6g9-gm5p
jira.xwiki.org/browse/XWIKI-20180
nvd.nist.gov/vuln/detail/CVE-2023-26478

Detect and mitigate CVE-2023-26478 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →