CVE-2023-45138

Опубликовано: 12 окт. 2023

Источник: nvd

CVSS3: 10

CVSS3: 9.6

EPSS Высокий

Описание

Change Request is an pplication allowing users to request changes on a wiki without publishing the changes directly. Starting in version 0.11 and prior to version 1.9.2, it's possible for a user without any specific right to perform script injection and remote code execution just by inserting an appropriate title when creating a new Change Request. This vulnerability is particularly critical as Change Request aims at being created by user without any particular rights. The vulnerability has been fixed in Change Request 1.9.2. It's possible to workaround the issue without upgrading by editing the document ChangeRequest.Code.ChangeRequestSheet and by performing the same change as in the fix commit.

Ссылки

https://github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4
Patch
https://github.com/xwiki-contrib/application-changerequest/security/advisories/GHSA-f776-w9v2-7vfj
Vendor Advisory
https://jira.xwiki.org/browse/CRAPP-298
Issue Tracking
Third Party Advisory
https://github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4
Patch
https://github.com/xwiki-contrib/application-changerequest/security/advisories/GHSA-f776-w9v2-7vfj
Vendor Advisory
https://jira.xwiki.org/browse/CRAPP-298
Issue Tracking
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:xwiki:change_request:*:*:*:*:*:*:*:*

Версия от 0.11 (включая) до 1.9.2 (исключая)

EPSS

Процентиль: 99%

0.78432

Высокий

10 Critical

CVSS3

9.6 Critical

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-f776-w9v2-7vfj

CVSS3: 10

github

больше 2 лет назад

XWiki Change Request Application UI XSS and remote code execution through change request title

EPSS

Процентиль: 99%

0.78432

Высокий

10 Critical

CVSS3

9.6 Critical

CVSS3

Дефекты

CWE-79