Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-26055

XWiki Commons are technical libraries common to several other top level XWiki projects. Starting in version 3.1-milestone-1, any user can edit their own profile and inject code, which is going to be executed with programming right. The same vulnerability can also be exploited in all other places where short text properties are displayed, e.g., in apps created using Apps Within Minutes that use a short text field. The problem has been patched on versions 13.10.9, 14.4.4, 14.7RC1.

Published

2023-03-02T19:15:10.867

Last Modified

2024-11-21T07:50:40.323

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.9 (CRITICAL)

Weaknesses

Type: Secondary
CWE-150
Type: Primary
NVD-CWE-Other

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	xwiki	commons	< 13.10.9	Yes
Application	xwiki	commons	< 14.4.4	Yes
Application	xwiki	commons	< 14.7	Yes
Application	xwiki	commons	3.1	Yes
Application	xwiki	commons	3.1	Yes
Application	xwiki	commons	3.1.1	Yes
Application	xwiki	commons	14.4	Yes

References

https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-8cw6-4r32-6r3h Exploit, Vendor Advisory ([email protected])
https://jira.xwiki.org/browse/XCOMMONS-2498 Issue Tracking, Patch, Vendor Advisory ([email protected])
https://jira.xwiki.org/browse/XWIKI-19793 Exploit, Issue Tracking, Patch, Vendor Advisory ([email protected])
https://jira.xwiki.org/browse/XWIKI-19794 Exploit, Issue Tracking, Patch, Vendor Advisory ([email protected])
https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-8cw6-4r32-6r3h Exploit, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://jira.xwiki.org/browse/XCOMMONS-2498 Issue Tracking, Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://jira.xwiki.org/browse/XWIKI-19793 Exploit, Issue Tracking, Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://jira.xwiki.org/browse/XWIKI-19794 Exploit, Issue Tracking, Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)