CVE-2023-29509

Опубликовано: 16 апр. 2023

Источник: nvd

CVSS3: 9.9

CVSS3: 8.8

EPSS Средний

Описание

XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the documentTree macro parameters in This macro is installed by default in FlamingoThemesCode.WebHome. This page is installed by default. The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10.

Ссылки

https://github.com/xwiki/xwiki-platform/commit/80d5be36f700adcd56b6c8eb3ed8b973f62ec0ae
Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f4v8-58f6-mwj4
Patch
Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20279
Exploit
Issue Tracking
Vendor Advisory
https://github.com/xwiki/xwiki-platform/commit/80d5be36f700adcd56b6c8eb3ed8b973f62ec0ae
Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f4v8-58f6-mwj4
Patch
Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20279
Exploit
Issue Tracking
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

Версия до 13.10.11 (исключая)

cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

Версия от 14.4.0 (включая) до 14.4.7 (исключая)

cpe:2.3:a:xwiki:xwiki:14.10:rc1:*:*:*:*:*:*

EPSS

Процентиль: 97%

0.30124

Средний

9.9 Critical

CVSS3

8.8 High

CVSS3

Дефекты

CWE-95

CWE-94

Связанные уязвимости

GHSA-f4v8-58f6-mwj4

CVSS3: 9.9

github

почти 3 года назад

org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability

EPSS

Процентиль: 97%

0.30124

Средний

9.9 Critical

CVSS3

8.8 High

CVSS3

Дефекты

CWE-95

CWE-94