Описание
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit right on any page can perform arbitrary remote code execution by adding instances of XWiki.SearchSuggestConfig and XWiki.SearchSuggestSourceClass to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2.
Ссылки
- Patch
- Patch
- Patch
- Patch
- Vendor Advisory
- Issue TrackingVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 9.2 (включая) до 14.10.21 (исключая)Версия от 15.0 (включая) до 15.5.5 (исключая)Версия от 15.6 (включая) до 15.10.2 (исключая)
Одно из
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
EPSS
Процентиль: 93%
0.09745
Низкий
9.9 Critical
CVSS3
8.8 High
CVSS3
Дефекты
CWE-95
CWE-94
Связанные уязвимости
CVSS3: 9.9
github
больше 1 года назад
XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet
EPSS
Процентиль: 93%
0.09745
Низкий
9.9 Critical
CVSS3
8.8 High
CVSS3
Дефекты
CWE-95
CWE-94