Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-29511

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights on a page (e.g., it's own user page), can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the section ids in `XWiki.AdminFieldsDisplaySheet`. This page is installed by default. The vulnerability has been patched in XWiki versions 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11.

Published

2023-04-16T08:15:07.630

Last Modified

2024-11-21T07:57:12.303

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.9 (CRITICAL)

Weaknesses

Type: Secondary
CWE-95

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	xwiki	xwiki	< 13.10.11	Yes
Application	xwiki	xwiki	< 14.4.8	Yes
Application	xwiki	xwiki	< 14.10.1	Yes
Application	xwiki	xwiki	14.0	Yes
Application	xwiki	xwiki	14.0	Yes

References

https://github.com/xwiki/xwiki-platform/commit/f1e310826a19acdcdecdecdcfe171d21f24d6ede Patch ([email protected])
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rfh6-mg6h-h668 Patch, Vendor Advisory ([email protected])
https://jira.xwiki.org/browse/XWIKI-20261 Exploit, Issue Tracking, Patch, Vendor Advisory ([email protected])
https://github.com/xwiki/xwiki-platform/commit/f1e310826a19acdcdecdecdcfe171d21f24d6ede Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rfh6-mg6h-h668 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://jira.xwiki.org/browse/XWIKI-20261 Exploit, Issue Tracking, Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)