Impact
There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object and to craft a script allowing to perform some operations when executing by a user with appropriate rights.
Patches
This has been patched in XWiki 14.9-rc-1 by only executing the script if the author of it has Script right.
Workarounds
The only known workaround consists in applying the following patch and rebuilding and redeploying xwiki-platform-skin-skinx.
References
For more information
If you have any questions or comments about this advisory:
Impact
There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object and to craft a script allowing to perform some operations when executing by a user with appropriate rights.
Patches
This has been patched in XWiki 14.9-rc-1 by only executing the script if the author of it has Script right.
Workarounds
The only known workaround consists in applying the following patch and rebuilding and redeploying
xwiki-platform-skin-skinx.References
For more information
If you have any questions or comments about this advisory: