Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-26475

XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. There is no easy workaround except to upgrade.

Published

2023-03-02T19:15:11.470

Last Modified

2024-11-21T07:51:35.250

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.9 (CRITICAL)

Weaknesses

Type: Secondary
CWE-269
CWE-270
Type: Primary
CWE-269

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	xwiki	xwiki	< 13.10.11	Yes
Application	xwiki	xwiki	< 14.4.7	Yes
Application	xwiki	xwiki	< 14.10	Yes
Application	xwiki	xwiki	2.3	Yes

References

https://github.com/xwiki/xwiki-platform/commit/d87d7bfd8db18c20d3264f98c6deefeae93b99f7 Patch ([email protected])
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h6f5-8jj5-cxhr Exploit, Vendor Advisory ([email protected])
https://jira.xwiki.org/browse/XWIKI-20360 Exploit, Issue Tracking, Patch, Vendor Advisory ([email protected])
https://jira.xwiki.org/browse/XWIKI-20384 Issue Tracking, Patch, Vendor Advisory ([email protected])
https://github.com/xwiki/xwiki-platform/commit/d87d7bfd8db18c20d3264f98c6deefeae93b99f7 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h6f5-8jj5-cxhr Exploit, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://jira.xwiki.org/browse/XWIKI-20360 Exploit, Issue Tracking, Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://jira.xwiki.org/browse/XWIKI-20384 Issue Tracking, Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)