XWiki Required Rights Enforcement Vulnerability Allowing Unauthorized Programming Rights Assignment

A vulnerability exists in XWiki versions 16.10.0-rc-1 prior to 16.10.4 and 17.0.0-rc-1 prior to 17.1.0-rc-1, allowing users with edit rights to improperly assign programming rights as required. This flaw could enable remote code execution by manipulating document rights, thereby undermining the intended security model of required rights. Although the vulnerability's exploitation could lead to significant consequences, its overall impact is considered low, given the specific conditions needed for exploitation and the absence of a user interface for managing required rights in the affected versions.

Impact

Exploitation of this vulnerability could result in unauthorized users gaining programming rights on documents, potentially leading to remote code execution.

Reproduction

To reproduce this vulnerability, log in as a user with edit rights but without programming rights. Open a document where required rights are not enforced or only edit rights are applied. Use the browser's console to send a request that enforces required rights with programming rights. The document will be saved successfully, with programming rights improperly assigned, despite the user lacking the necessary permissions.

Remediation

Users can upgrade to XWiki versions 16.10.4 or 17.1.0-rc-1 to address this vulnerability.