8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-37910

GHSA ID

GHSA-rwwx-6572-mp29

EPSS Score

0.67739%

CWE

CWE-862

Published

10/25/2023

Updated

11/10/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-37910

CVE-2023-37910: org.xwiki.platform:xwiki-platform-attachment-api vulnerable to Missing Authorization on Attachment Move

Impact

An attacker with edit access on any document (can be the user profile which is editable by default) can move any attachment of any other document to this attacker-controlled document. This allows the attacker to access and possibly publish any attachment of which the name is known, regardless if the attacker has view or edit rights on the source document of this attachment. Further, the attachment is deleted from the source document. This vulnerability exists since the introduction of attachment move support in XWiki 14.0 RC1.

Patches

This vulnerability has been patched in XWiki 14.4.8, 14.10.4, and 15.0 RC1.

Workarounds

There is no workaround apart from upgrading to a fixed version.

References

https://jira.xwiki.org/browse/XWIKI-20334
https://github.com/xwiki/xwiki-platform/commit/d7720219d60d7201c696c3196c9d4a86d0881325

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

Attribution

This vulnerability has been reported on Intigriti by Mete.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-37910

CVE-2023-37910:

8.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-37910

GHSA ID

GHSA-rwwx-6572-mp29

EPSS Score

0.67739%

CWE

CWE-862

Published

10/25/2023

Updated

11/10/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-attachment-api	maven	>= 14.0-rc-1, < 14.4.8	14.4.8
org.xwiki.platform:xwiki-platform-attachment-api	maven	>= 14.5, < 14.10.4	14.10.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing authorization checks in the attachment move operation. The critical commit added a new checkMoveRights() method to validate() permissions, which was absent in the original code. The vulnerable process() method directly performed destructive operations (move + event notifications) without these checks. The test file modifications further confirm this by adding authorization failure test cases that would have been impossible to pass before the patch. The function's pre-patch behavior matches the CWE-862 description of missing authorization gates before performing sensitive actions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-37910: org.xwiki.platform:xwiki-platform-attachment-api vulnerable to Missing Authorization on Attachment Move

Impact

Patches

Workarounds

References

For more information

Attribution

CVE-2023-37910:

8.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-37910: org.xwiki.platform:xwiki-platform-attachment-api vulnerable to Missing Authorization on Attachment Move

Impact

Patches

Workarounds

References

For more information

Attribution

Technical Details

8.1

8.1

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI