CVE-2023-29206

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-29206
XWiki Commons are technical libraries common to several other top level XWiki projects. There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object and to craft a script allowing to perform some operations when executing by a user with appropriate rights. This has been patched in XWiki 14.9-rc-1 by only executing the script if the author of it has Script rights.

9.0 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://github.com/xwiki/xwiki-platform/commit/fe65bc35d5672dd2505b7ac4ec42aec57d500fbb Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cmvg-w72j-7phx Exploit Patch Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-19514 Exploit Issue Tracking
https://jira.xwiki.org/browse/XWIKI-19583 Exploit Issue Tracking
https://jira.xwiki.org/browse/XWIKI-9119 Exploit Issue Tracking Permissions Required
https://github.com/xwiki/xwiki-platform/commit/fe65bc35d5672dd2505b7ac4ec42aec57d500fbb Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cmvg-w72j-7phx Exploit Patch Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-19514 Exploit Issue Tracking
https://jira.xwiki.org/browse/XWIKI-19583 Exploit Issue Tracking
https://jira.xwiki.org/browse/XWIKI-9119 Exploit Issue Tracking Permissions Required
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:3.0:-:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:3.0:milestone_2:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:3.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:3.0:rc1:*:*:*:*:*:*
History

21 Nov 2024, 07:56

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 5.4 		v2 : unknown
v3 : 9.0
References () https://github.com/xwiki/xwiki-platform/commit/fe65bc35d5672dd2505b7ac4ec42aec57d500fbb - Patch () https://github.com/xwiki/xwiki-platform/commit/fe65bc35d5672dd2505b7ac4ec42aec57d500fbb - Patch
References () https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cmvg-w72j-7phx - Exploit, Patch, Vendor Advisory () https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cmvg-w72j-7phx - Exploit, Patch, Vendor Advisory
References () https://jira.xwiki.org/browse/XWIKI-19514 - Exploit, Issue Tracking () https://jira.xwiki.org/browse/XWIKI-19514 - Exploit, Issue Tracking
References () https://jira.xwiki.org/browse/XWIKI-19583 - Exploit, Issue Tracking () https://jira.xwiki.org/browse/XWIKI-19583 - Exploit, Issue Tracking
References () https://jira.xwiki.org/browse/XWIKI-9119 - Exploit, Issue Tracking, Permissions Required () https://jira.xwiki.org/browse/XWIKI-9119 - Exploit, Issue Tracking, Permissions Required

29 Sep 2023, 11:39

Type Values Removed Values Added
CPE cpe:2.3:a:xwiki:xwiki:3.0:milestone_3:*:*:*:*:*:* cpe:2.3:a:xwiki:xwiki:3.0:milestone3:*:*:*:*:*:*
Information

Published : 2023-04-15 16:15

Updated : 2024-11-21 07:56

NVD link : CVE-2023-29206

Mitre link : CVE-2023-29206

CVE.ORG link : CVE-2023-29206

JSON object : View

Products Affected

xwiki

  • xwiki
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024