GHSA-xh35-w7wg-95v3

Advisory Details

### Impact

The rollback action is missing a right protection: it means that a user can rollback to a previous version of the page to gain rights they don't have anymore.
This vulnerability impacts all version of XWiki since rollback action is available.

### Patches

The problem has been patched in XWiki 14.10.16, 15.5.3 and 15.8-rc-1 by ensuring that the rights are checked before performing the rollback.

### Workarounds

There's no workaround for this vulnerability, except paying attention to delete old versions of documents that could allow users to gain more rights.

### References

* JIRA ticket: https://jira.xwiki.org/browse/XWIKI-21257
* Commit: [4de72875ca49602796165412741033bfdbf1e680](https://github.com/xwiki/xwiki-platform/commit/4de72875ca49602796165412741033bfdbf1e680)

### For more information

If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)
* Email us at [Security Mailing List](mailto:[email protected])

Affected Packages

Maven org.xwiki.platform:xwiki-platform-oldcore

Affected versions: 1.0 (fixed in 14.10.17)

Maven org.xwiki.platform:xwiki-platform

Affected versions: 15.0-rc-1 (fixed in 15.5.3)

Maven org.xwiki.platform:xwiki-platform

Affected versions: 15.6-rc-1 (fixed in 15.8-rc-1)

Related CVEs

CVE-2024-21648

XWiki has no right protection on rollback action

Advisory Details

Affected Packages

Related CVEs

Key Information

Dataset