Description
org.xwiki.platform:xwiki-platform-oldcore is missing authorization in User#setDisabledStatus, which may allow an incorrectly authorized user with only Script rights to enable or disable a user. This operation is meant to only be available for users with admin rights. This problem has been patched in XWiki 13.10.7, 14.4.2 and 14.5RC1.
Remediation
References
Related Vulnerabilities
Drupal Core 9.0.x Arbitrary File Overwrite (9.0.0 - 9.0.10)
WordPress Plugin WP Job Manager PHP Object Injection (1.29.2)
WordPress Plugin WP Construction Mode Cross-Site Request Forgery (3.31)
Nginx Insufficient Session Expiration Vulnerability (CVE-2014-3616)
WordPress Plugin Happy Addons for Elementor Cross-Site Scripting (2.23.0)