Description

XWiki Platform is a generic wiki platform. Starting in version 14.3-rc-1, `org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment` returns an instance of `com.xpn.xwiki.doc.XWikiAttachment`. This class is not supported to be exposed to users without the `programing` right. `com.xpn.xwiki.api.Attachment` should be used instead and takes case of checking the user's rights before performing dangerous operations. This has been patched in versions 14.9-rc-1 and 14.4.6. There are no known workarounds for this issue.

Remediation

References

CVE-2023-26478

Related Vulnerabilities

OpenSSL Integer Overflow or Wraparound Vulnerability (CVE-2016-2177)

WordPress Plugin Download Manager PHAR Deserialization (3.2.49)

WordPress Plugin Photospace Responsive Gallery Unspecified Vulnerability (1.1.7)

WordPress Plugin WP Survey And Quiz Tool 'rowcount' Parameter Cross-Site Scripting (2.9.2)

WordPress Plugin WooCommerce Amazon Affiliates Multiple Vulnerabilities (8.0)

Severity

High

Classification

CVE-2023-26478 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Tags

Missing Update Known Vulnerabilities