CVE-2022-24821

Description

### Impact Simple users can create global SSX/JSX without specific rights: in theory only users with Programming Rights should be allowed to create SSX or JSX that are executed everywhere on a wiki. But a bug allow anyone with edit rights to actually create those. ### Patches This issue has been patched in XWiki 13.10-rc-1, 12.10.11 and 13.4.6. ### Workarounds There's no easy workaround for this issue, administrators should upgrade their wiki. ### References https://jira.xwiki.org/browse/XWIKI-19155 ### For more information If you have any questions or comments about this advisory: * Open an issue in [JIRA](https://jira.xwiki.org) * Email us at [XWiki Security ML](mailto:security@xwiki.org)

How to fix CVE-2022-24821

To remediate CVE-2022-24821, upgrade the affected package to a fixed version below.

• —upgrade to 13.10 or later

Is CVE-2022-24821 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 13.5.0, < 13.10

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-24821
• PATCHgithub.com/xwiki/xwiki-platform
• WEBgithub.com/xwiki/xwiki-platform/security/advisories/GHSA-ghcq-472w-vf4h
• WEBjira.xwiki.org/browse/XWIKI-19155