{"id":"CVE-2024-21648","summary":"XWiki has no right protection on rollback action","details":"XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The rollback action is missing a right protection, a user can rollback to a previous version of the page to gain rights they don't have anymore. The problem has been patched in XWiki 14.10.17, 15.5.3 and 15.8-rc-1 by ensuring that the rights are checked before performing the rollback. ","aliases":["GHSA-xh35-w7wg-95v3"],"modified":"2026-04-10T05:09:51.164735Z","published":"2024-01-08T23:31:50.298Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-274"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/21xxx/CVE-2024-21648.json"},"references":[{"type":"WEB","url":"https://jira.xwiki.org/browse/XWIKI-21257"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/21xxx/CVE-2024-21648.json"},{"type":"ADVISORY","url":"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xh35-w7wg-95v3"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-21648"},{"type":"FIX","url":"https://github.com/xwiki/xwiki-platform/commit/4de72875ca49602796165412741033bfdbf1e680"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/xwiki/xwiki-platform","events":[{"introduced":"93d8322eda7b68fd66f33334b982b047d7cf4f36"},{"fixed":"8fc6dd5d6fd20323bdad4a5c0947abd17910850f"}],"database_specific":{"versions":[{"introduced":"1.0"},{"fixed":"14.10.17"}]}},{"type":"GIT","repo":"https://github.com/xwiki/xwiki-platform","events":[{"introduced":"d823334f762d5ad86bea378b65af0b230668d401"},{"fixed":"c08f3b6b8cdebed64f4f513efc968a01892a48d9"}],"database_specific":{"versions":[{"introduced":"15.0-rc-1"},{"fixed":"15.5.3"}]}},{"type":"GIT","repo":"https://github.com/xwiki/xwiki-platform","events":[{"introduced":"201a8cdfdaad44618c79c6dd0c0bb855b446aafb"},{"fixed":"b0b2c71ded2c886acbe98a71e0bda1728cf86536"}],"database_specific":{"versions":[{"introduced":"15.6-rc-1"},{"fixed":"15.8-rc-1"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-21648.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"}]}