Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
XWiki OIDC Authenticator vulnerable to creation of token for any user with just `view` right
Vulnerability Description
XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Starting in version 2.17.1 and prior to version 2.18.2, anyone with VIEW access to a user profile can create a token for that user. If that XWiki instance is configured to allow token authentication, it allows authentication with any user (since users are very commonly viewable, at least to other registered users). Version 2.18.2 contains a patch. As a workaround, disable token access.
CVSS Information
N/A
Vulnerability Type
授权机制不恰当
Vulnerability Title
OpenID Connect 授权问题漏洞
Vulnerability Description
OpenID Connect(OIDC)是XWiki Contrib开源的一个库。使 XWiki 成为任何应用程序都可以重用的身份提供者。 OpenID Connect(OIDC) 2.17.1版本至2.18.2之前版本存在授权问题漏洞,该漏洞源于具有查看权限的用户可以创建其他用户令牌,可能导致任意用户身份验证。
CVSS Information
N/A
Vulnerability Type
N/A