Description
The "You are not allowed..." error handler in XWiki 1.0 B1 and 1.0 B2 associates the doc variable with the entire document content and metadata regardless of a user's view rights, which allows remote authenticated users to read arbitrary documents via a custom skin that prints the content attribute of the doc variable.
Remediation
References
Related Vulnerabilities
Jboss EAP Improper Neutralization of CRLF Sequences ('CRLF Injection') Vulnerability (CVE-2016-4993)
Grafana Authentication Bypass by Spoofing Vulnerability (CVE-2023-3128)
WordPress Plugin WP htaccess Control Unspecified Vulnerability (2.4)
WordPress Plugin Cryptocurrency Widgets For Elementor Security Bypass (1.2.1)
Ruby on Rails URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2021-22881)