### Impact
`org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment` is returning an instance of `com.xpn.xwiki.doc.XWikiAttachment`. This class is not supported to be exposed to users without the `programing` right.
`com.xpn.xwiki.api.Attachment` should be used instead and takes case of checking the user's rights before performing dangerous operations.

### Patches
This has been patched in the version 14.9-rc-1 and 14.4.6.

### Workarounds
There's no workaround for this issue.

### References
https://jira.xwiki.org/browse/XWIKI-20180

### For more information
If you have any questions or comments about this advisory:

* Open an issue in [JIRA](https://jira.xwiki.org/)
* Email us at [security ML](mailto:[email protected])

Affected Packages

Maven org.xwiki.platform:xwiki-platform-store-filesystem-oldcore

Affected versions: 14.3-rc-1 (fixed in 14.4.6)

Maven org.xwiki.platform:xwiki-platform-store-filesystem-oldcore

Affected versions: 14.5 (fixed in 14.9-rc-1)

Related CVEs

CVE-2023-26478

Key Information

GHSA ID

GHSA-8692-g6g9-gm5p

Published

March 3, 2023 10:52 PM

Last Modified

March 3, 2023 10:52 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.xwiki.platform:xwiki-platform-store-filesystem-oldcore

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.