Incorrect Use of Privileged APIs

CVE-2022-24821

Medium

5.5/10

Summary

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Simple users can create global SSX/JSX without specific rights: in theory only users with Programming Rights should be allowed to create SSX or JSX that are executed everywhere on a wiki. But a bug allow anyone with edit rights to actually create those. This issue has been patched in XWiki 13.10-rc-1, 12.10.11 and 13.4.6. There's no easy workaround for this issue, administrators should upgrade their wiki.

Access Complexity: LOW
AccessVector: NETWORK
Authentication: SINGLE
Integrity Impact: PARTIAL
Confidentiality Impact: PARTIAL
Availability Impact: NONE

CWE-648 - Incorrect Use of Privileged APIs

The application does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.

References

Advisory Timeline

Published Apr 08, 2022

Incorrect Use of Privileged APIs

CVE-2022-24821

Summary

CWE-648 - Incorrect Use of Privileged APIs

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS