Impact
Any user with an account on the main wiki could run scheduling operations on subwikis.
To reproduce, as a user on the main wiki without any special right, view the document Scheduler.WebHome in a subwiki. Then, click on any operation (e.g., Trigger) on any job. If the operation is successful, then the instance is vulnerable.
Patches
This has been patched in XWiki 15.10.9 and 16.3.0.
Workarounds
If you have subwikis where the Job Scheduler is enabled, you can edit the objects on Scheduler.WebPreferences to match 54bcc5a#diff-8e274bd0065e319a34090339de6dfe56193144d15fd71c52c1be7272254728b4.
References
For more information
If you have any questions or comments about this advisory:
Impact
Any user with an account on the main wiki could run scheduling operations on subwikis.
To reproduce, as a user on the main wiki without any special right, view the document
Scheduler.WebHomein a subwiki. Then, click on any operation (e.g., Trigger) on any job. If the operation is successful, then the instance is vulnerable.Patches
This has been patched in XWiki 15.10.9 and 16.3.0.
Workarounds
If you have subwikis where the Job Scheduler is enabled, you can edit the objects on
Scheduler.WebPreferencesto match 54bcc5a#diff-8e274bd0065e319a34090339de6dfe56193144d15fd71c52c1be7272254728b4.References
For more information
If you have any questions or comments about this advisory: