CVE-2020-15171

Опубликовано: 10 сент. 2020

Источник: nvd

CVSS3: 6.6

CVSS2: 6

EPSS Низкий

Описание

In XWiki before versions 11.10.5 or 12.2.1, any user with SCRIPT right (EDIT right before XWiki 7.4) can gain access to the application server Servlet context which contains tools allowing to instantiate arbitrary Java objects and invoke methods that may lead to arbitrary code execution. The only workaround is to give SCRIPT right only to trusted users.

Ссылки

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7qw5-pqhc-xm4g
Third Party Advisory
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7qw5-pqhc-xm4g
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

Версия до 11.10.5 (исключая)

cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

Версия от 12.0.0 (включая) до 12.2.1 (исключая)

EPSS

Процентиль: 72%

0.00734

Низкий

6.6 Medium

CVSS3

6 Medium

CVSS2

Дефекты

CWE-94

CWE-74

Связанные уязвимости

GHSA-7qw5-pqhc-xm4g