Описание
XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of XWiki.WikiMacroClass to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0. It is possible to manually apply the patch to the page XWiki.XWikiSyntaxMacrosList as a workaround.
Ссылки
- Patch
- Vendor Advisory
- ExploitVendor Advisory
- ExploitVendor Advisory
Уязвимые конфигурации
Конфигурация 1Версия от 9.7 (включая) до 15.10.11 (исключая)Версия от 16.0.0 (включая) до 16.4.1 (исключая)
Одно из
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:16.5.0:rc1:*:*:*:*:*:*
EPSS
Процентиль: 97%
0.39407
Средний
9.9 Critical
CVSS3
8.8 High
CVSS3
Дефекты
CWE-96
CWE-94
Связанные уязвимости
CVSS3: 9.9
github
около 1 года назад
XWiki allows remote code execution from account through macro descriptions and XWiki.XWikiSyntaxMacrosList
EPSS
Процентиль: 97%
0.39407
Средний
9.9 Critical
CVSS3
8.8 High
CVSS3
Дефекты
CWE-96
CWE-94