Impact
Rights added to a document are not taken into account for viewing it once it's deleted. Note that this vulnerability only impact deleted documents that where containing view rights: the view rights provided on a space of a deleted document are properly checked.
Patches
The problem has been patched in XWiki 14.10 by checking the rights of current user: only admin and deleter of the document are allowed to view it.
Workarounds
There is no workaround for this vulnerability other than upgrading.
References
For more information
If you have any questions or comments about this advisory:
Impact
Rights added to a document are not taken into account for viewing it once it's deleted. Note that this vulnerability only impact deleted documents that where containing view rights: the view rights provided on a space of a deleted document are properly checked.
Patches
The problem has been patched in XWiki 14.10 by checking the rights of current user: only admin and deleter of the document are allowed to view it.
Workarounds
There is no workaround for this vulnerability other than upgrading.
References
For more information
If you have any questions or comments about this advisory: