CVE-2023-29211
9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.8 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
53.0%
XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights WikiManager.DeleteWiki can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the wikiId url parameter. The problem has been patched on XWiki 13.10.11, 14.4.7, and 14.10.
Affected configurations
CNA Affected
[
{
"vendor": "xwiki",
"product": "xwiki-platform",
"versions": [
{
"version": ">= 5.3-milestone-2, < 13.10.11",
"status": "affected"
},
{
"version": ">= 14.0-rc-1, < 14.4.7",
"status": "affected"
},
{
"version": ">= 14.5, < 14.10",
"status": "affected"
}
]
}
]Related
9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.8 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
53.0%