XWiki Platform is a generic wiki platform. Starting in version 12.9-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.1, any logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation. The vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1. As a workaround, one may apply the patch manually.
References
Link | Resource |
---|---|
https://github.com/xwiki/xwiki-platform/commit/0993a7ab3c102f9ac37ffe361a83a3dc302c0e45#diff-0b51114cb27f7a5c599cf40c59d658eae6ddc5c0836532c3b35e163f40a4854fR39 | Patch Vendor Advisory |
https://github.com/xwiki/xwiki-platform/commit/6ce2d04a5779e07f6d3ed3f37d4761049b4fc3ac#diff-ef7f8b911bb8e584fda22aac5876a329add35ca0d1d32e0fdb62a439b78cfa49 | Patch Vendor Advisory |
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rf8j-q39g-7xfm | Vendor Advisory |
https://jira.xwiki.org/browse/XWIKI-19900 | Issue Tracking Vendor Advisory |
https://jira.xwiki.org/browse/XWIKI-20611 | Issue Tracking Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
30 Jun 2023, 07:12
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:xwiki:xwiki:12.9:rc1:*:*:*:*:*:* cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* cpe:2.3:a:xwiki:xwiki:15.0:rc1:*:*:*:*:*:* cpe:2.3:a:xwiki:xwiki:15.0:*:*:*:*:*:*:* |
|
CWE | CWE-94 | |
First Time |
Xwiki
Xwiki xwiki |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
References | (MISC) https://jira.xwiki.org/browse/XWIKI-19900 - Issue Tracking, Vendor Advisory | |
References | (MISC) https://github.com/xwiki/xwiki-platform/commit/6ce2d04a5779e07f6d3ed3f37d4761049b4fc3ac#diff-ef7f8b911bb8e584fda22aac5876a329add35ca0d1d32e0fdb62a439b78cfa49 - Patch, Vendor Advisory | |
References | (MISC) https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rf8j-q39g-7xfm - Vendor Advisory | |
References | (MISC) https://github.com/xwiki/xwiki-platform/commit/0993a7ab3c102f9ac37ffe361a83a3dc302c0e45#diff-0b51114cb27f7a5c599cf40c59d658eae6ddc5c0836532c3b35e163f40a4854fR39 - Patch, Vendor Advisory | |
References | (MISC) https://jira.xwiki.org/browse/XWIKI-20611 - Issue Tracking, Vendor Advisory |
23 Jun 2023, 17:21
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-06-23 17:15
Updated : 2024-02-28 20:13
NVD link : CVE-2023-35152
Mitre link : CVE-2023-35152
CVE.ORG link : CVE-2023-35152
JSON object : View
Products Affected
xwiki
- xwiki