CVE-2023-37914

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can view `Invitation.WebHome` can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This vulnerability has been patched on XWiki 14.4.8, 15.2-rc-1, and 14.10.6. Users are advised to upgrade. Users unable to upgrade may manually apply the patch on `Invitation.InvitationCommon` and `Invitation.InvitationConfig`, but there are otherwise no known workarounds for this vulnerability.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

History

24 Aug 2023, 17:14

Type Values Removed Values Added
CPE cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
First Time Xwiki xwiki
Xwiki
References (MISC) https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7954-6m9q-gpvf - (MISC) https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7954-6m9q-gpvf - Exploit, Third Party Advisory
References (MISC) https://github.com/xwiki/xwiki-platform/commit/ff1d8a1790c6ee534c6a4478360a06efeb2d3591 - (MISC) https://github.com/xwiki/xwiki-platform/commit/ff1d8a1790c6ee534c6a4478360a06efeb2d3591 - Patch
References (MISC) https://jira.xwiki.org/browse/XWIKI-20421 - (MISC) https://jira.xwiki.org/browse/XWIKI-20421 - Exploit, Issue Tracking, Vendor Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.8

17 Aug 2023, 18:54

Type Values Removed Values Added
New CVE

Information

Published : 2023-08-17 18:15

Updated : 2024-02-28 20:33


NVD link : CVE-2023-37914

Mitre link : CVE-2023-37914

CVE.ORG link : CVE-2023-37914


JSON object : View

Products Affected

xwiki

  • xwiki
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')