XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can view `Invitation.WebHome` can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This vulnerability has been patched on XWiki 14.4.8, 15.2-rc-1, and 14.10.6. Users are advised to upgrade. Users unable to upgrade may manually apply the patch on `Invitation.InvitationCommon` and `Invitation.InvitationConfig`, but there are otherwise no known workarounds for this vulnerability.
References
Link | Resource |
---|---|
https://github.com/xwiki/xwiki-platform/commit/ff1d8a1790c6ee534c6a4478360a06efeb2d3591 | Patch |
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7954-6m9q-gpvf | Exploit Third Party Advisory |
https://jira.xwiki.org/browse/XWIKI-20421 | Exploit Issue Tracking Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
24 Aug 2023, 17:14
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* | |
First Time |
Xwiki xwiki
Xwiki |
|
References | (MISC) https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7954-6m9q-gpvf - Exploit, Third Party Advisory | |
References | (MISC) https://github.com/xwiki/xwiki-platform/commit/ff1d8a1790c6ee534c6a4478360a06efeb2d3591 - Patch | |
References | (MISC) https://jira.xwiki.org/browse/XWIKI-20421 - Exploit, Issue Tracking, Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
17 Aug 2023, 18:54
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-08-17 18:15
Updated : 2024-02-28 20:33
NVD link : CVE-2023-37914
Mitre link : CVE-2023-37914
CVE.ORG link : CVE-2023-37914
JSON object : View
Products Affected
xwiki
- xwiki
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')