Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-35150

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.40m-2 and prior to versions 14.4.8, 14.10.4, and 15.0, any user with view rights on any document can execute code with programming rights, leading to remote code execution by crafting an url with a dangerous payload. The problem has been patched in XWiki 15.0, 14.10.4 and 14.4.8.

Published

2023-06-23T17:15:09.380

Last Modified

2024-11-21T08:08:02.300

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.9 (CRITICAL)

Weaknesses

Type: Secondary
CWE-95
Type: Primary
CWE-94

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	xwiki	xwiki	< 14.4.8	Yes
Application	xwiki	xwiki	< 14.10.4	Yes
Application	xwiki	xwiki	2.4	Yes

References

https://github.com/xwiki/xwiki-platform/commit/b65220a4d86b8888791c3b643074ebca5c089a3a Patch, Vendor Advisory ([email protected])
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6mf5-36v9-3h2w Vendor Advisory ([email protected])
https://jira.xwiki.org/browse/XWIKI-20285 Exploit, Issue Tracking, Patch, Vendor Advisory ([email protected])
https://github.com/xwiki/xwiki-platform/commit/b65220a4d86b8888791c3b643074ebca5c089a3a Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6mf5-36v9-3h2w Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://jira.xwiki.org/browse/XWIKI-20285 Exploit, Issue Tracking, Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)