XWiki's scheduler in subwiki allows scheduling operations for any main wiki user
Moderate severity
GitHub Reviewed
Published
Dec 12, 2024
in
xwiki/xwiki-platform
•
Updated Dec 12, 2024
Package
Affected versions
>= 1.2-milestone-2, < 15.10.9
>= 16.0.0-rc-1, < 16.3.0
Patched versions
15.10.9
16.3.0
Description
Published by the National Vulnerability Database
Dec 12, 2024
Published to the GitHub Advisory Database
Dec 12, 2024
Reviewed
Dec 12, 2024
Last updated
Dec 12, 2024
Impact
Any user with an account on the main wiki could run scheduling operations on subwikis.
To reproduce, as a user on the main wiki without any special right, view the document
Scheduler.WebHome
in a subwiki. Then, click on any operation (e.g., Trigger) on any job. If the operation is successful, then the instance is vulnerable.Patches
This has been patched in XWiki 15.10.9 and 16.3.0.
Workarounds
If you have subwikis where the Job Scheduler is enabled, you can edit the objects on
Scheduler.WebPreferences
to match xwiki/xwiki-platform@54bcc5a#diff-8e274bd0065e319a34090339de6dfe56193144d15fd71c52c1be7272254728b4.References
For more information
If you have any questions or comments about this advisory:
References