CVE-2023-29212

Опубликовано: 16 апр. 2023

Источник: nvd

CVSS3: 9.9

CVSS3: 8.8

EPSS Низкий

Описание

XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the included documents edit panel. The problem has been patched on XWiki 14.4.7, and 14.10.

Ссылки

https://github.com/xwiki/xwiki-platform/commit/22f249a0eb9f2a64214628217e812a994419b69f#diff-a51a252f0190274464027342b4e3eafc4ae32de4d9c17ef166e54fc5454c5689R214-R217
Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c5f4-p5wv-2475
Exploit
Patch
Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20293
Exploit
Issue Tracking
https://github.com/xwiki/xwiki-platform/commit/22f249a0eb9f2a64214628217e812a994419b69f#diff-a51a252f0190274464027342b4e3eafc4ae32de4d9c17ef166e54fc5454c5689R214-R217
Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c5f4-p5wv-2475
Exploit
Patch
Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20293
Exploit
Issue Tracking

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

Версия от 14.0 (включая) до 14.4.7 (исключая)

cpe:2.3:a:xwiki:xwiki:14.10:rc1:*:*:*:*:*:*

EPSS

Процентиль: 92%

0.08238

Низкий

9.9 Critical

CVSS3

8.8 High

CVSS3

Дефекты

CWE-95

CWE-94

Связанные уязвимости

GHSA-c5f4-p5wv-2475

CVSS3: 9.9

github

почти 3 года назад

xwiki.platform:xwiki-platform-panels-ui Eval Injection vulnerability

EPSS

Процентиль: 92%

0.08238

Низкий

9.9 Critical

CVSS3

8.8 High

CVSS3

Дефекты

CWE-95

CWE-94