Description
XWiki Platform Security Parent POM contains the security APIs for XWiki Platform, a generic wiki platform. Starting with version 5.0 and prior to 12.10.11, 13.10.1, and 13.4.6, a bug in the security cache stores rules associated to document Page1.Page2 and space Page1.Page2 in the same cache entry. That means that it's possible to overwrite the rights of a space or a document by creating the page of the space with the same name and checking the right of the new one first so that they end up in the security cache and are used for the other too. The problem has been patched in XWiki 12.10.11, 13.10.1, and 13.4.6. There are no known workarounds.
References (3)
Core 3
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_confirm
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gg53-wf5x-r3r6
Permissions Required, Vendor Advisory x_refsource_misc
https://jira.xwiki.org/browse/XWIKI-14075
Exploit, Issue Tracking, Vendor Advisory x_refsource_misc
https://jira.xwiki.org/browse/XWIKI-18983
Scores
CVSS v3
7.1
EPSS
0.0049
EPSS Percentile
65.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
CWE-285
Status
published
Products (2)
org.xwiki.platform/xwiki-platform-security
5.0 - 12.10.11Maven
xwiki/xwiki
5.0 - 12.10.11
Published
Sep 07, 2022
Tracked Since
Feb 18, 2026