Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-2gj2-vj98-j2qq

GitHub Security Advisory

Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Impact

It's possible for a user with only Script rights to enable or disable a user: this operation should be only doable for users with admin rights.

### Patches

This problem has been patched in XWiki 13.10.7, 14.4.2 and 14.5RC1.

### Workarounds

There is no workaround other than upgrading the wiki, but note that this only impacts users with Script rights: administrator should take care which users have such right.

### References

* https://jira.xwiki.org/browse/XWIKI-19804
* https://github.com/xwiki/xwiki-platform/commit/0b732f2ef0224e2aaf10e2e1ef48dbd3fb6e10cd

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [JIRA](https://jira.xwiki.org)
* Email us at [security ML](mailto:[email protected])

Affected Packages

Maven org.xwiki.platform:xwiki-platform-oldcore
Affected versions: 11.7RC1 (fixed in 13.10.7)
Maven org.xwiki.platform:xwiki-platform-oldcore
Affected versions: 14.0.0 (fixed in 14.4.2)

Related CVEs

CVE-2022-41929

Key Information

GHSA ID
GHSA-2gj2-vj98-j2qq
Published
November 21, 2022 10:35 PM
Last Modified
November 21, 2022 10:35 PM
CVSS Score
5.0 /10
Primary Ecosystem
Maven
Primary Package
org.xwiki.platform:xwiki-platform-oldcore
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.