Simple users can create global SSX/JSX without specific rights: in theory only users with Programming Rights should be allowed to create SSX or JSX that are executed everywhere on a wiki. But a bug allow anyone with edit rights to actually create those.

### Patches
This issue has been patched in XWiki 13.10-rc-1, 12.10.11 and 13.4.6.

### Workarounds
There's no easy workaround for this issue, administrators should upgrade their wiki.

### References
https://jira.xwiki.org/browse/XWIKI-19155

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [JIRA](https://jira.xwiki.org)
* Email us at [XWiki Security ML](mailto:[email protected])

Affected Packages

Maven org.xwiki.platform:xwiki-platform-skin-skinx

Affected versions: 13.5.0 (fixed in 13.10)

Maven org.xwiki.platform:xwiki-platform-skin-skinx

Affected versions: 0 (fixed in 12.10.11)

Maven org.xwiki.platform:xwiki-platform-skin-skinx

Affected versions: 13.0.0 (fixed in 13.4.6)

Related CVEs

CVE-2022-24821

Key Information

GHSA ID

GHSA-ghcq-472w-vf4h

Published

April 8, 2022 9:59 PM

Last Modified

April 8, 2022 9:59 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.xwiki.platform:xwiki-platform-skin-skinx

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.