CVE-2023-26477

Опубликовано: 02 мар. 2023

Источник: nvd

CVSS3: 10

CVSS3: 9.8

EPSS Средний

Описание

XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the newThemeName request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit FlamingoThemesCode.WebHomeSheet and manually perform the changes from the patch fixing the issue.

Ссылки

https://github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284
Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-x2qm-r4wx-8gpg
Exploit
Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-19757
Exploit
Issue Tracking
Vendor Advisory
https://github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284
Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-x2qm-r4wx-8gpg
Exploit
Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-19757
Exploit
Issue Tracking
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

Версия от 6.2.4 (включая) до 13.10.10 (исключая)

cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

Версия от 14.0 (включая) до 14.4.6 (исключая)

cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

Версия от 14.5 (включая) до 14.9 (исключая)

EPSS

Процентиль: 98%

0.45936

Средний

10 Critical

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-95

CWE-94

Связанные уязвимости

GHSA-x2qm-r4wx-8gpg

CVSS3: 10

github

почти 3 года назад

org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability

EPSS

Процентиль: 98%

0.45936

Средний

10 Critical

CVSS3

9.8 Critical

CVSS3

Дефекты

CWE-95

CWE-94