CVE-2023-29206

2023-04-1516:15:07

CWE-79

[email protected]

web.nvd.nist.gov

266

cve-2023-29206

xwiki commons

javascript

stylesheet

authorization

security patch

nvd

9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

5.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

32.8%

JSON

XWiki Commons are technical libraries common to several other top level XWiki projects. There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object and to craft a script allowing to perform some operations when executing by a user with appropriate rights. This has been patched in XWiki 14.9-rc-1 by only executing the script if the author of it has Script rights.

Affected configurations

Vulners

NVD

Node

xwikixwikiRange3.0-milestone-1–14.9-rc-1

VendorProductVersionCPE
xwikixwiki*cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
xwiki	xwiki	*	cpe:2.3:a:xwiki:xwiki::::::::

CNA Affected

[
  {
    "vendor": "xwiki",
    "product": "xwiki-platform",
    "versions": [
      {
        "version": ">= 3.0-milestone-1, < 14.9-rc-1",
        "status": "affected"
      }
    ]
  }
]