Описание
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit rights on a document can trigger an XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host. This vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1. Users are advised to upgrade. Users unable to upgrade may apply the patch e3527b98fd manually.
Ссылки
- Patch
- ExploitPatchVendor Advisory
- ExploitIssue TrackingPatchVendor Advisory
- Patch
- ExploitPatchVendor Advisory
- ExploitIssue TrackingPatchVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 1.1 (исключая) до 13.10.11 (исключая)Версия от 14.0 (включая) до 14.4.7 (исключая)Версия от 14.5 (включая) до 14.10 (исключая)
Одно из
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:1.1:milestone3:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:1.1:milestone4:*:*:*:*:*:*
EPSS
Процентиль: 79%
0.01261
Низкий
7.7 High
CVSS3
Дефекты
CWE-611
Связанные уязвимости
CVSS3: 7.7
github
почти 3 года назад
XWiki Platform vulnerable to data leak via Improper Restriction of XML External Entity Reference
EPSS
Процентиль: 79%
0.01261
Низкий
7.7 High
CVSS3
Дефекты
CWE-611