XWiki is a generic wiki platform. In versions starting from 4.5.1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the Solr script service doesnt take dropped programming rights into account. The Solr script service that is accessible in XWikis scripting API normally requires programming rights to be called. Due to using the wrong API for checking rights, it doesnt take the fact into account that programming rights might have been dropped by calling $xcontext.dropPermissions(). If some code relies on this for the safety of executing Velocity code with the wrong author context, this could allow a user with script rights to either cause a high load by indexing documents or to temporarily remove documents from the search index. This issue has been patched in versions 15.10.13, 16.4.4, and 16.8.0-rc-1.
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Xwiki | Xwiki | 4.5.1 (including) | 15.10.13 (excluding) |
| Xwiki | Xwiki | 16.0.0 (including) | 16.4.4 (excluding) |
| Xwiki | Xwiki | 16.5.0 (including) | 16.8.0 (excluding) |
Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user’s privileges and any permissions or other access-control specifications that apply to the resource. When access control checks are incorrectly applied, users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution.