Critical severityNVD Advisory· Published Jun 20, 2024· Updated Aug 13, 2024

Disabling a user account changes its author, allowing RCE from user account in XWiki

CVE-2024-37899

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account. To reproduce, as a user without script nor programming rights, edit the about section of your user profile and add {{groovy}}services.logging.getLogger("attacker").error("Hello from Groovy!"){{/groovy}}. As an admin, go to the user profile and click the "Disable this account" button. Then, reload the page. If the logs show attacker - Hello from Groovy! then the instance is vulnerable. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Workarounds

We're not aware of any workaround except upgrading.

### References * https://jira.xwiki.org/browse/XWIKI-21611 * https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.xwiki.platform:xwiki-platform-oldcoreMaven	>= 13.4.7, < 14.10.21	14.10.21
org.xwiki.platform:xwiki-platform-oldcoreMaven	>= 13.10.3, < 14.10.21	14.10.21
org.xwiki.platform:xwiki-platform-oldcoreMaven	>= 15.0-rc-1, < 15.5.5	15.5.5
org.xwiki.platform:xwiki-platform-oldcoreMaven	>= 15.6-rc-1, < 15.10.6	15.10.6
org.xwiki.platform:xwiki-platform-oldcoreMaven	>= 16.0.0-rc-1, < 16.0.0	16.0.0

Affected products

Xwiki/Xwiki Platformv5
Range: >= 13.4.7, <= 13.5

Patches

2b55c29562cc

XWIKI-21611: Set right author when disabling/enabling an account

https://github.com/xwiki/xwiki-platformPierre JeanjeanJan 25, 2024via ghsa

commit

2 files changed · +10 −1

xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-test/xwiki-platform-administration-test-docker/pom.xml

+7 −0 modified

@@ -64,6 +64,13 @@
       <version>${project.version}</version>
       <type>xar</type>
     </dependency>
+    <!-- The UserProfile sheet is used to disable/enable user profiles -->
+    <dependency>
+      <groupId>org.xwiki.platform</groupId>
+      <artifactId>xwiki-platform-user-profile-ui</artifactId>
+      <version>${project.version}</version>
+      <type>xar</type>
+    </dependency>
     <!-- ================================
          Test only dependencies
          ================================ -->

xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-test/xwiki-platform-administration-test-docker/src/test/it/org/xwiki/administration/test/ui/UsersGroupsRightsManagementIT.java

+3 −1 modified

@@ -45,7 +45,9 @@
 
 @UITest(properties = {
     // Add the RightsManagerPlugin needed by the test
-    "xwikiCfgPlugins=com.xpn.xwiki.plugin.rightsmanager.RightsManagerPlugin"
+    "xwikiCfgPlugins=com.xpn.xwiki.plugin.rightsmanager.RightsManagerPlugin",
+    // Programming rights are required to disable/enable user profiles (cf. XWIKI-21238)
+    "xwikiPropertiesAdditionalProperties=test.prchecker.excludePattern=.*:XWiki\\.XWikiUserProfileSheet"
 })
 public class UsersGroupsRightsManagementIT
 {

046c36519a2d

XWIKI-21611: Set right author when disabling/enabling an account

https://github.com/xwiki/xwiki-platformPierre JeanjeanJan 25, 2024via ghsa

commit

2 files changed · +10 −1

xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-test/xwiki-platform-administration-test-docker/pom.xml

+7 −0 modified

@@ -64,6 +64,13 @@
       <version>${project.version}</version>
       <type>xar</type>
     </dependency>
+    <!-- The UserProfile sheet is used to disable/enable user profiles -->
+    <dependency>
+      <groupId>org.xwiki.platform</groupId>
+      <artifactId>xwiki-platform-user-profile-ui</artifactId>
+      <version>${project.version}</version>
+      <type>xar</type>
+    </dependency>
     <!-- ================================
          Test only dependencies
          ================================ -->

xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-test/xwiki-platform-administration-test-docker/src/test/it/org/xwiki/administration/test/ui/UsersGroupsRightsManagementIT.java

+3 −1 modified

@@ -45,7 +45,9 @@
 
 @UITest(properties = {
     // Add the RightsManagerPlugin needed by the test
-    "xwikiCfgPlugins=com.xpn.xwiki.plugin.rightsmanager.RightsManagerPlugin"
+    "xwikiCfgPlugins=com.xpn.xwiki.plugin.rightsmanager.RightsManagerPlugin",
+    // Programming rights are required to disable/enable user profiles (cf. XWIKI-21238)
+    "xwikiPropertiesAdditionalProperties=test.prchecker.excludePattern=.*:XWiki\\.XWikiUserProfileSheet"
 })
 public class UsersGroupsRightsManagementIT
 {

233b08b26580

XWIKI-21611: Set right author when disabling/enabling an account

https://github.com/xwiki/xwiki-platformPierre JeanjeanJan 25, 2024via ghsa

commit

2 files changed · +10 −1

xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-test/xwiki-platform-administration-test-docker/pom.xml

+7 −0 modified

@@ -64,6 +64,13 @@
       <version>${project.version}</version>
       <type>xar</type>
     </dependency>
+    <!-- The UserProfile sheet is used to disable/enable user profiles -->
+    <dependency>
+      <groupId>org.xwiki.platform</groupId>
+      <artifactId>xwiki-platform-user-profile-ui</artifactId>
+      <version>${project.version}</version>
+      <type>xar</type>
+    </dependency>
     <!-- ================================
          Test only dependencies
          ================================ -->

xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-test/xwiki-platform-administration-test-docker/src/test/it/org/xwiki/administration/test/ui/UsersGroupsRightsManagementIT.java

+3 −1 modified

@@ -45,7 +45,9 @@
 
 @UITest(properties = {
     // Add the RightsManagerPlugin needed by the test
-    "xwikiCfgPlugins=com.xpn.xwiki.plugin.rightsmanager.RightsManagerPlugin"
+    "xwikiCfgPlugins=com.xpn.xwiki.plugin.rightsmanager.RightsManagerPlugin",
+    // Programming rights are required to disable/enable user profiles (cf. XWIKI-21238)
+    "xwikiPropertiesAdditionalProperties=test.prchecker.excludePattern=.*:XWiki\\.XWikiUserProfileSheet"
 })
 public class UsersGroupsRightsManagementIT
 {

f8409419c5d0

XWIKI-21611: Set right author when disabling/enabling an account

https://github.com/xwiki/xwiki-platformPierre JeanjeanJan 25, 2024via ghsa

commit

2 files changed · +10 −1

xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-test/xwiki-platform-administration-test-docker/pom.xml

+7 −0 modified

@@ -64,6 +64,13 @@
       <version>${project.version}</version>
       <type>xar</type>
     </dependency>
+    <!-- The UserProfile sheet is used to disable/enable user profiles -->
+    <dependency>
+      <groupId>org.xwiki.platform</groupId>
+      <artifactId>xwiki-platform-user-profile-ui</artifactId>
+      <version>${project.version}</version>
+      <type>xar</type>
+    </dependency>
     <!-- ================================
          Test only dependencies
          ================================ -->

xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-test/xwiki-platform-administration-test-docker/src/test/it/org/xwiki/administration/test/ui/UsersGroupsRightsManagementIT.java

+3 −1 modified

@@ -45,7 +45,9 @@
 
 @UITest(properties = {
     // Add the RightsManagerPlugin needed by the test
-    "xwikiCfgPlugins=com.xpn.xwiki.plugin.rightsmanager.RightsManagerPlugin"
+    "xwikiCfgPlugins=com.xpn.xwiki.plugin.rightsmanager.RightsManagerPlugin",
+    // Programming rights are required to disable/enable user profiles (cf. XWIKI-21238)
+    "xwikiPropertiesAdditionalProperties=test.prchecker.excludePattern=.*:XWiki\\.XWikiUserProfileSheet"
 })
 public class UsersGroupsRightsManagementIT
 {

f89c8f47fad6

XWIKI-21611: Set right author when disabling/enabling an account

https://github.com/xwiki/xwiki-platformpjeanjeanJan 16, 2024via ghsa

commit

3 files changed · +128 −94

xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/user/api/XWikiUser.java+16 −1 modified

@@ -31,6 +31,8 @@
 import org.xwiki.model.reference.EntityReferenceSerializer;
 import org.xwiki.model.reference.LocalDocumentReference;
 import org.xwiki.model.reference.WikiReference;
+import org.xwiki.user.UserReference;
+import org.xwiki.user.UserReferenceResolver;
 
 import com.xpn.xwiki.XWiki;
 import com.xpn.xwiki.XWikiContext;
@@ -71,6 +73,8 @@ public class XWikiUser
 
     private ContextualLocalizationManager localization;
 
+    private UserReferenceResolver<DocumentReference> documentReferenceUserReferenceResolver;
+
     private Logger logger = LoggerFactory.getLogger(XWikiUser.class);
 
     private String fullName;
@@ -204,6 +208,15 @@ private EntityReferenceSerializer<String> getLocalEntityReferenceSerializer()
         return localEntityReferenceSerializer;
     }
 
+    private UserReferenceResolver<DocumentReference> getDocumentReferenceUserReferenceResolver()
+    {
+        if (this.documentReferenceUserReferenceResolver == null) {
+            this.documentReferenceUserReferenceResolver =
+                Utils.getComponent(UserReferenceResolver.TYPE_DOCUMENT_REFERENCE, "document");
+        }
+        return this.documentReferenceUserReferenceResolver;
+    }
+
     private ContextualLocalizationManager getLocalization()
     {
         if (this.localization == null) {
@@ -337,7 +350,9 @@ public void setDisabled(boolean disable, XWikiContext context)
                 XWikiDocument userdoc = getUserDocument(context);
                 userdoc.setIntValue(getUserClassReference(userdoc.getDocumentReference().getWikiReference()),
                     ACTIVE_PROPERTY, activeFlag);
-                userdoc.setAuthorReference(context.getUserReference());
+                UserReference userReference =
+                    getDocumentReferenceUserReferenceResolver().resolve(context.getUserReference());
+                userdoc.getAuthors().setOriginalMetadataAuthor(userReference);
                 context.getWiki().saveDocument(userdoc,
                     localizePlainOrKey("core.users." + (disable ? "disable" : "enable") + ".saveComment"), context);
             } catch (XWikiException e) {

xwiki-platform-core/xwiki-platform-oldcore/src/test/java/com/xpn/xwiki/user/api/XWikiUserTest.java+102 −85 modified

@@ -19,12 +19,17 @@
  */
 package com.xpn.xwiki.user.api;
 
+import javax.inject.Named;
+
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.mockito.Mock;
 import org.xwiki.localization.ContextualLocalizationManager;
+import org.xwiki.model.document.DocumentAuthors;
 import org.xwiki.model.reference.DocumentReference;
+import org.xwiki.test.junit5.mockito.MockComponent;
 import org.xwiki.test.mockito.MockitoComponentManager;
+import org.xwiki.user.UserReferenceResolver;
 
 import com.xpn.xwiki.XWikiException;
 import com.xpn.xwiki.doc.XWikiDocument;
@@ -56,21 +61,29 @@ public class XWikiUserTest
     @InjectMockitoOldcore
     private MockitoOldcore mockitoOldcore;
 
+    @MockComponent
+    @Named("document")
+    private UserReferenceResolver<DocumentReference> documentReferenceUserReferenceResolver;
+
     @Mock
     private XWikiDocument userDocument;
 
-    private DocumentReference userClassReference = new DocumentReference("xwiki", "XWiki", "XWikiUsers");
+    @Mock
+    private DocumentAuthors authors;
+
+    private final DocumentReference userClassReference = new DocumentReference("xwiki", "XWiki", "XWikiUsers");
 
-    private DocumentReference userReference = new DocumentReference("xwiki", "XWiki", "Foo");
+    private final DocumentReference userReference = new DocumentReference("xwiki", "XWiki", "Foo");
 
     @BeforeEach
     public void setup(MockitoComponentManager componentManager) throws Exception
     {
-        when(mockitoOldcore.getSpyXWiki().getDocument(userReference, mockitoOldcore.getXWikiContext()))
-            .thenReturn(userDocument);
-        when(userDocument.getDocumentReference()).thenReturn(userReference);
-        when(userDocument.getDocumentReferenceWithLocale()).thenReturn(userReference);
-        when(userDocument.clone()).thenReturn(userDocument);
+        when(this.mockitoOldcore.getSpyXWiki().getDocument(this.userReference, this.mockitoOldcore.getXWikiContext()))
+            .thenReturn(this.userDocument);
+        when(this.userDocument.getDocumentReference()).thenReturn(this.userReference);
+        when(this.userDocument.getDocumentReferenceWithLocale()).thenReturn(this.userReference);
+        when(this.userDocument.getAuthors()).thenReturn(this.authors);
+        when(this.userDocument.clone()).thenReturn(this.userDocument);
         componentManager.registerMockComponent(ContextualLocalizationManager.class, "default");
     }
 
@@ -95,138 +108,142 @@ public void createWithNullFullName()
     @Test
     public void isDisabled()
     {
-        XWikiUser user = new XWikiUser(userReference);
-        when(userDocument.getIntValue(userClassReference, XWikiUser.ACTIVE_PROPERTY, 1)).thenReturn(1);
-        assertFalse(user.isDisabled(mockitoOldcore.getXWikiContext()));
+        XWikiUser user = new XWikiUser(this.userReference);
+        when(this.userDocument.getIntValue(this.userClassReference, XWikiUser.ACTIVE_PROPERTY, 1)).thenReturn(1);
+        assertFalse(user.isDisabled(this.mockitoOldcore.getXWikiContext()));
 
-        when(userDocument.getIntValue(userClassReference, XWikiUser.ACTIVE_PROPERTY, 1)).thenReturn(0);
-        assertTrue(user.isDisabled(mockitoOldcore.getXWikiContext()));
+        when(this.userDocument.getIntValue(this.userClassReference, XWikiUser.ACTIVE_PROPERTY, 1)).thenReturn(0);
+        assertTrue(user.isDisabled(this.mockitoOldcore.getXWikiContext()));
 
         user = new XWikiUser((DocumentReference) null);
-        assertFalse(user.isDisabled(mockitoOldcore.getXWikiContext()));
+        assertFalse(user.isDisabled(this.mockitoOldcore.getXWikiContext()));
 
         user = new XWikiUser(XWikiRightService.SUPERADMIN_USER_FULLNAME);
-        assertFalse(user.isDisabled(mockitoOldcore.getXWikiContext()));
+        assertFalse(user.isDisabled(this.mockitoOldcore.getXWikiContext()));
     }
 
     @Test
     public void setDisabledFalseNormalUser() throws XWikiException
     {
-        XWikiUser user = new XWikiUser(userReference);
-        user.setDisabled(false, mockitoOldcore.getXWikiContext());
-        verify(userDocument, times(1)).setIntValue(userClassReference, XWikiUser.ACTIVE_PROPERTY, 1);
-        verify(mockitoOldcore.getSpyXWiki(), times(1))
-            .saveDocument(same(userDocument), any(String.class), same(mockitoOldcore.getXWikiContext()));
+        XWikiUser user = new XWikiUser(this.userReference);
+        user.setDisabled(false, this.mockitoOldcore.getXWikiContext());
+        verify(this.userDocument, times(1)).setIntValue(this.userClassReference, XWikiUser.ACTIVE_PROPERTY, 1);
+        verify(this.mockitoOldcore.getSpyXWiki(), times(1))
+            .saveDocument(same(this.userDocument), any(String.class), same(this.mockitoOldcore.getXWikiContext()));
+        verify(this.authors, times(1)).setOriginalMetadataAuthor(any());
+        verify(this.authors, never()).setEffectiveMetadataAuthor(any());
     }
 
     @Test
     public void setDisabledTrueNormalUser() throws XWikiException
     {
-        XWikiUser user = new XWikiUser(userReference);
-        user.setDisabled(true, mockitoOldcore.getXWikiContext());
-        verify(userDocument, times(1)).setIntValue(userClassReference, XWikiUser.ACTIVE_PROPERTY, 0);
-        verify(mockitoOldcore.getSpyXWiki(), times(1))
-            .saveDocument(same(userDocument), any(String.class), same(mockitoOldcore.getXWikiContext()));
+        XWikiUser user = new XWikiUser(this.userReference);
+        user.setDisabled(true, this.mockitoOldcore.getXWikiContext());
+        verify(this.userDocument, times(1)).setIntValue(this.userClassReference, XWikiUser.ACTIVE_PROPERTY, 0);
+        verify(this.mockitoOldcore.getSpyXWiki(), times(1))
+            .saveDocument(same(this.userDocument), any(String.class), same(this.mockitoOldcore.getXWikiContext()));
+        verify(this.authors, times(1)).setOriginalMetadataAuthor(any());
+        verify(this.authors, never()).setEffectiveMetadataAuthor(any());
     }
 
     @Test
     public void setDisabledGuestOrSuperadminUser() throws XWikiException
     {
         // With guest user we never save anything
         XWikiUser user = new XWikiUser((DocumentReference) null);
-        user.setDisabled(true, mockitoOldcore.getXWikiContext());
-        verify(userDocument, never())
-            .setIntValue(same(userClassReference), any(String.class), any(Integer.class));
-        verify(mockitoOldcore.getSpyXWiki(), never())
-            .saveDocument(any(XWikiDocument.class), any(String.class), same(mockitoOldcore.getXWikiContext()));
-
-        user.setDisabled(false, mockitoOldcore.getXWikiContext());
-        verify(userDocument, never())
-            .setIntValue(same(userClassReference), any(String.class), any(Integer.class));
-        verify(mockitoOldcore.getSpyXWiki(), never())
-            .saveDocument(any(XWikiDocument.class), any(String.class), same(mockitoOldcore.getXWikiContext()));
+        user.setDisabled(true, this.mockitoOldcore.getXWikiContext());
+        verify(this.userDocument, never())
+            .setIntValue(same(this.userClassReference), any(String.class), any(Integer.class));
+        verify(this.mockitoOldcore.getSpyXWiki(), never())
+            .saveDocument(any(XWikiDocument.class), any(String.class), same(this.mockitoOldcore.getXWikiContext()));
+
+        user.setDisabled(false, this.mockitoOldcore.getXWikiContext());
+        verify(this.userDocument, never())
+            .setIntValue(same(this.userClassReference), any(String.class), any(Integer.class));
+        verify(this.mockitoOldcore.getSpyXWiki(), never())
+            .saveDocument(any(XWikiDocument.class), any(String.class), same(this.mockitoOldcore.getXWikiContext()));
 
         // With superadmin user we never save anything
         user = new XWikiUser(XWikiRightService.SUPERADMIN_USER_FULLNAME);
-        user.setDisabled(true, mockitoOldcore.getXWikiContext());
-        verify(userDocument, never())
-            .setIntValue(same(userClassReference), any(String.class), any(Integer.class));
-        verify(mockitoOldcore.getSpyXWiki(), never())
-            .saveDocument(any(XWikiDocument.class), any(String.class), same(mockitoOldcore.getXWikiContext()));
-
-        user.setDisabled(false, mockitoOldcore.getXWikiContext());
-        verify(userDocument, never())
-            .setIntValue(same(userClassReference), any(String.class), any(Integer.class));
-        verify(mockitoOldcore.getSpyXWiki(), never())
-            .saveDocument(any(XWikiDocument.class), any(String.class), same(mockitoOldcore.getXWikiContext()));
+        user.setDisabled(true, this.mockitoOldcore.getXWikiContext());
+        verify(this.userDocument, never())
+            .setIntValue(same(this.userClassReference), any(String.class), any(Integer.class));
+        verify(this.mockitoOldcore.getSpyXWiki(), never())
+            .saveDocument(any(XWikiDocument.class), any(String.class), same(this.mockitoOldcore.getXWikiContext()));
+
+        user.setDisabled(false, this.mockitoOldcore.getXWikiContext());
+        verify(this.userDocument, never())
+            .setIntValue(same(this.userClassReference), any(String.class), any(Integer.class));
+        verify(this.mockitoOldcore.getSpyXWiki(), never())
+            .saveDocument(any(XWikiDocument.class), any(String.class), same(this.mockitoOldcore.getXWikiContext()));
     }
 
     @Test
     public void isEmailChecked()
     {
-        XWikiUser user = new XWikiUser(userReference);
-        when(userDocument.getIntValue(userClassReference, XWikiUser.EMAIL_CHECKED_PROPERTY, 1)).thenReturn(1);
-        assertTrue(user.isEmailChecked(mockitoOldcore.getXWikiContext()));
+        XWikiUser user = new XWikiUser(this.userReference);
+        when(this.userDocument.getIntValue(this.userClassReference, XWikiUser.EMAIL_CHECKED_PROPERTY, 1)).thenReturn(1);
+        assertTrue(user.isEmailChecked(this.mockitoOldcore.getXWikiContext()));
 
-        when(userDocument.getIntValue(userClassReference, XWikiUser.EMAIL_CHECKED_PROPERTY, 1)).thenReturn(0);
-        assertFalse(user.isEmailChecked(mockitoOldcore.getXWikiContext()));
+        when(this.userDocument.getIntValue(this.userClassReference, XWikiUser.EMAIL_CHECKED_PROPERTY, 1)).thenReturn(0);
+        assertFalse(user.isEmailChecked(this.mockitoOldcore.getXWikiContext()));
 
         user = new XWikiUser((DocumentReference) null);
-        assertTrue(user.isEmailChecked(mockitoOldcore.getXWikiContext()));
+        assertTrue(user.isEmailChecked(this.mockitoOldcore.getXWikiContext()));
 
         user = new XWikiUser(XWikiRightService.SUPERADMIN_USER_FULLNAME);
-        assertTrue(user.isEmailChecked(mockitoOldcore.getXWikiContext()));
+        assertTrue(user.isEmailChecked(this.mockitoOldcore.getXWikiContext()));
     }
 
     @Test
     public void setEmailCheckedFalseNormalUser() throws XWikiException
     {
-        XWikiUser user = new XWikiUser(userReference);
-        user.setEmailChecked(false, mockitoOldcore.getXWikiContext());
-        verify(userDocument, times(1)).setIntValue(userClassReference, XWikiUser.EMAIL_CHECKED_PROPERTY, 0);
-        verify(mockitoOldcore.getSpyXWiki(), times(1))
-            .saveDocument(same(userDocument), any(String.class), same(mockitoOldcore.getXWikiContext()));
+        XWikiUser user = new XWikiUser(this.userReference);
+        user.setEmailChecked(false, this.mockitoOldcore.getXWikiContext());
+        verify(this.userDocument, times(1)).setIntValue(this.userClassReference, XWikiUser.EMAIL_CHECKED_PROPERTY, 0);
+        verify(this.mockitoOldcore.getSpyXWiki(), times(1))
+            .saveDocument(same(this.userDocument), any(String.class), same(this.mockitoOldcore.getXWikiContext()));
     }
 
     @Test
     public void setEmailCheckedTrueNormalUser() throws XWikiException
     {
-        XWikiUser user = new XWikiUser(userReference);
-        user.setEmailChecked(true, mockitoOldcore.getXWikiContext());
-        verify(userDocument, times(1)).setIntValue(userClassReference, XWikiUser.EMAIL_CHECKED_PROPERTY, 1);
-        verify(mockitoOldcore.getSpyXWiki(), times(1))
-            .saveDocument(same(userDocument), any(String.class), same(mockitoOldcore.getXWikiContext()));
+        XWikiUser user = new XWikiUser(this.userReference);
+        user.setEmailChecked(true, this.mockitoOldcore.getXWikiContext());
+        verify(this.userDocument, times(1)).setIntValue(this.userClassReference, XWikiUser.EMAIL_CHECKED_PROPERTY, 1);
+        verify(this.mockitoOldcore.getSpyXWiki(), times(1))
+            .saveDocument(same(this.userDocument), any(String.class), same(this.mockitoOldcore.getXWikiContext()));
     }
 
     @Test
     public void setEmailCheckedGuestOrSuperadminUser() throws XWikiException
     {
         // With guest user we never save anything
         XWikiUser user = new XWikiUser((DocumentReference) null);
-        user.setEmailChecked(true, mockitoOldcore.getXWikiContext());
-        verify(userDocument, never())
-            .setIntValue(same(userClassReference), any(String.class), any(Integer.class));
-        verify(mockitoOldcore.getSpyXWiki(), never())
-            .saveDocument(any(XWikiDocument.class), any(String.class), same(mockitoOldcore.getXWikiContext()));
-
-        user.setEmailChecked(false, mockitoOldcore.getXWikiContext());
-        verify(userDocument, never())
-            .setIntValue(same(userClassReference), any(String.class), any(Integer.class));
-        verify(mockitoOldcore.getSpyXWiki(), never())
-            .saveDocument(any(XWikiDocument.class), any(String.class), same(mockitoOldcore.getXWikiContext()));
+        user.setEmailChecked(true, this.mockitoOldcore.getXWikiContext());
+        verify(this.userDocument, never())
+            .setIntValue(same(this.userClassReference), any(String.class), any(Integer.class));
+        verify(this.mockitoOldcore.getSpyXWiki(), never())
+            .saveDocument(any(XWikiDocument.class), any(String.class), same(this.mockitoOldcore.getXWikiContext()));
+
+        user.setEmailChecked(false, this.mockitoOldcore.getXWikiContext());
+        verify(this.userDocument, never())
+            .setIntValue(same(this.userClassReference), any(String.class), any(Integer.class));
+        verify(this.mockitoOldcore.getSpyXWiki(), never())
+            .saveDocument(any(XWikiDocument.class), any(String.class), same(this.mockitoOldcore.getXWikiContext()));
 
         // With superadmin user we never save anything
         user = new XWikiUser(XWikiRightService.SUPERADMIN_USER_FULLNAME);
-        user.setEmailChecked(true, mockitoOldcore.getXWikiContext());
-        verify(userDocument, never())
-            .setIntValue(same(userClassReference), any(String.class), any(Integer.class));
-        verify(mockitoOldcore.getSpyXWiki(), never())
-            .saveDocument(any(XWikiDocument.class), any(String.class), same(mockitoOldcore.getXWikiContext()));
-
-        user.setEmailChecked(false, mockitoOldcore.getXWikiContext());
-        verify(userDocument, never())
-            .setIntValue(same(userClassReference), any(String.class), any(Integer.class));
-        verify(mockitoOldcore.getSpyXWiki(), never())
-            .saveDocument(any(XWikiDocument.class), any(String.class), same(mockitoOldcore.getXWikiContext()));
+        user.setEmailChecked(true, this.mockitoOldcore.getXWikiContext());
+        verify(this.userDocument, never())
+            .setIntValue(same(this.userClassReference), any(String.class), any(Integer.class));
+        verify(this.mockitoOldcore.getSpyXWiki(), never())
+            .saveDocument(any(XWikiDocument.class), any(String.class), same(this.mockitoOldcore.getXWikiContext()));
+
+        user.setEmailChecked(false, this.mockitoOldcore.getXWikiContext());
+        verify(this.userDocument, never())
+            .setIntValue(same(this.userClassReference), any(String.class), any(Integer.class));
+        verify(this.mockitoOldcore.getSpyXWiki(), never())
+            .saveDocument(any(XWikiDocument.class), any(String.class), same(this.mockitoOldcore.getXWikiContext()));
     }
 }

xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/getusers.vm+10 −8 modified

@@ -128,16 +128,18 @@
       'doc_hasdelete': $hasDelete,
       'doc_delete_url': $user.getURL('delete'),
       'doc_hasdisable': $hasDisable,
-      'doc_disable_url': $user.getURL('save', $escapetool.url({
-        "${userClassName}_0_active": 0,
-        'comment': $services.localization.render('core.users.disable.saveComment'),
-        'form_token': $services.csrf.token
+      'doc_disable_url': $xwiki.getURL('XWiki.XWikiUserProfileSheet', 'get', $escapetool.url({
+        'outputSyntax': 'plain',
+        'action': 'disable',
+        'userId': $user.documentReference,
+        'csrf': $services.csrf.token
       })),
       'doc_hasenable': $hasEnable,
-      'doc_enable_url': $user.getURL('save', $escapetool.url({
-        "${userClassName}_0_active": 1,
-        'comment': $services.localization.render('core.users.enable.saveComment'),
-        'form_token': $services.csrf.token
+      'doc_enable_url': $xwiki.getURL('XWiki.XWikiUserProfileSheet', 'get', $escapetool.url({
+        'outputSyntax': 'plain',
+        'action': 'enable',
+        'userId': $user.documentReference,
+        'csrf': $services.csrf.token
       })),
       'name': "#displayUserAliasWithAvatar($user.documentReference $disabled)",
       'first_name': $userObject.getValue('first_name'),

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-j584-j2vj-3f93ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-37899ghsaADVISORY
github.com/xwiki/xwiki-platform/commit/046c36519a2df392c922c16d0d38472b98c414d0ghsaWEB
github.com/xwiki/xwiki-platform/commit/233b08b26580df4b7a595882dac65ed4e4a2419cghsaWEB
github.com/xwiki/xwiki-platform/commit/2b55c29562ccd20f8f0f85075f0c95b4ee9cd9beghsaWEB
github.com/xwiki/xwiki-platform/commit/f8409419c5d0ddefe1bee55e73629a54275fa735ghsaWEB
github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5aghsax_refsource_MISCWEB
github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93ghsax_refsource_CONFIRMWEB
jira.xwiki.org/browse/XWIKI-21611ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.011
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000