Details
-
Bug
-
Resolution: Fixed
-
Critical
-
13.4-rc-1
-
Integration
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
- Log in as a user without script right
- Edit any page you can edit and add the following Live Data:
{{liveData properties="doc.location,levels" source="liveTable" sourceParameters="className=XWiki.XWikiRights"/}}and a Velocity macro like
{{velocity}}Hello from Velocity!{{/velocity}} - Make sure your user is advanced
- Edit the rights of the page by clicking on "Access Rights" in the edit menu
- Grant edit right to your user
- View the page
- In the Live Data, you should see the current page. Click on the edit icon that appears when hovering the "edit" entry in the "Levels" column.
- Select "script" and click outside to trigger saving.
- Reload the page
Expected result:
The script macro still displays an error and the level is still "edit".
Actual result:
The level is "script" and the script macro is executed.
This demonstrates a privilege escalation from edit to script right. This works for any right that can be assigned on the page level.
Attachments
Issue Links
- is caused by
-
XWIKI-18098 Push the changes to the server after leaving in-line (cell) editing
-
- Closed
-
- links to