Details
-
Bug
-
Resolution: Solved By
-
Critical
-
10.11.9, 11.3.3, 11.6.1
-
High
-
Unknown
-
N/A
-
N/A
-
Description
Issue
When resetting the password, the user document XWiki.<username> is saved as superadmin.
By creating a macro on the user document before resetting the document, it will be executed with superadmin privileges. Thus it is possible to run, for example, a groovy script as a normal user.
Steps to reproduce
- Create an unprivileged user.
- Add a XWiki.WikiMacroClass object with a groovy script.
- Do a password reset request for this user.
- Use the macro in any document.
Many variants can be used depending on how the user profile is configured.
Other types of objects can also be used to hold the script.
Attachments
Issue Links
- depends on
-
XWIKI-11205 If view rights are not allowed for guest users then ResetPassword doesn't work
- Closed
- is related to
-
XWIKI-16610 Forgot Username and Reset Password are not available in closed wiki
- Closed
- links to