CVE-2023-50732

Опубликовано: 21 дек. 2023

Источник: nvd

CVSS3: 8.3

CVSS3: 6.3

EPSS Низкий

Описание

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute a Velocity script without script right through the document tree. This has been patched in XWiki 14.10.7 and 15.2RC1.

Ссылки

https://github.com/xwiki/xwiki-platform/commit/41d7dca2d30084966ca6a7ee537f39ee8354a7e3
Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p5f8-qf24-24cj
Exploit
Mitigation
Patch
Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20625
Exploit
Issue Tracking
Vendor Advisory
https://github.com/xwiki/xwiki-platform/commit/41d7dca2d30084966ca6a7ee537f39ee8354a7e3
Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p5f8-qf24-24cj
Exploit
Mitigation
Patch
Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20625
Exploit
Issue Tracking
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

Версия от 8.3 (включая) до 14.10.7 (исключая)

cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

Версия от 15.0 (включая) до 15.2 (исключая)

EPSS

Процентиль: 80%

0.01361

Низкий

8.3 High

CVSS3

6.3 Medium

CVSS3

Дефекты

CWE-863

Связанные уязвимости

GHSA-p5f8-qf24-24cj

CVSS3: 8.3

github

около 2 лет назад

Velocity execution without script right through tree macro

EPSS

Процентиль: 80%

0.01361

Низкий

8.3 High

CVSS3

6.3 Medium

CVSS3

Дефекты

CWE-863