Moderate severityNVD Advisory· Published Apr 8, 2022· Updated Apr 22, 2025
Incorrect Use of Privileged APIs in org.xwiki.platform.skin.skinx
CVE-2022-24821
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Simple users can create global SSX/JSX without specific rights: in theory only users with Programming Rights should be allowed to create SSX or JSX that are executed everywhere on a wiki. But a bug allow anyone with edit rights to actually create those. This issue has been patched in XWiki 13.10-rc-1, 12.10.11 and 13.4.6. There's no easy workaround for this issue, administrators should upgrade their wiki.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-skin-skinxMaven | >= 13.5.0, < 13.10 | 13.10 |
org.xwiki.platform:xwiki-platform-skin-skinxMaven | < 12.10.11 | 12.10.11 |
org.xwiki.platform:xwiki-platform-skin-skinxMaven | >= 13.0.0, < 13.4.6 | 13.4.6 |
Affected products
1- Range: > 3.1M1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-ghcq-472w-vf4hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24821ghsaADVISORY
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-ghcq-472w-vf4hghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XWIKI-19155ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.