Description
org.xwiki.platform:xwiki-platform-oldcore is missing authorization in User#setDisabledStatus, which may allow an incorrectly authorized user with only Script rights to enable or disable a user. This operation is meant to only be available for users with admin rights. This problem has been patched in XWiki 13.10.7, 14.4.2 and 14.5RC1.
Remediation
References
Related Vulnerabilities
Oracle JRE CVE-2018-2588 Vulnerability (CVE-2018-2588)
WordPress Plugin Ship To eCourier Cross-Site Request Forgery (1.0.1)
WordPress Ultimate Member Plugin Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2023-31216)
WordPress Plugin LeagueManager Multiple SQL Injection Vulnerabilities (3.9.1.1)
WordPress Plugin demon image annotation Cross-Site Request Forgery (4.7)