Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The rollback action is missing a right protection, a user can rollback to a previous version of the page to gain rights they don't have anymore. The problem has been patched in XWiki 14.10.17, 15.5.3 and 15.8-rc-1 by ensuring that the rights are checked before performing the rollback.

Remediation

References

CVE-2024-21648

Related Vulnerabilities

WordPress Plugin Post SMTP-WP SMTP with Email Logs & Mobile App for Failure Alerts-Any SMTP Plus Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES, Postmark SQL Injection (2.9.3)

PHP Permissions, Privileges, and Access Controls Vulnerability (CVE-2007-5900)

Jenkins Uncontrolled Resource Consumption Vulnerability (CVE-2012-0785)

Joomla! Core 1.7.0 Information Disclosure (1.7.0)

Moodle CVE-2023-5543 Vulnerability (CVE-2023-5543)

Severity

High

Classification

CVE-2024-21648 CWE-274 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities