Описание
XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. There is no easy workaround except to upgrade.
Ссылки
- Patch
- ExploitVendor Advisory
- ExploitIssue TrackingPatchVendor Advisory
- Issue TrackingPatchVendor Advisory
- Patch
- ExploitVendor Advisory
- ExploitIssue TrackingPatchVendor Advisory
- Issue TrackingPatchVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 2.3 (исключая) до 13.10.11 (исключая)Версия от 14.0 (включая) до 14.4.7 (исключая)Версия от 14.5 (включая) до 14.10 (исключая)
Одно из
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:2.3:milestone1:*:*:*:*:*:*
EPSS
Процентиль: 96%
0.23644
Средний
9.9 Critical
CVSS3
8.8 High
CVSS3
Дефекты
CWE-269
CWE-269
Связанные уязвимости
CVSS3: 9.9
github
почти 3 года назад
xwiki-platform vulnerable to Remote Code Execution in Annotations
EPSS
Процентиль: 96%
0.23644
Средний
9.9 Critical
CVSS3
8.8 High
CVSS3
Дефекты
CWE-269
CWE-269