CVE-2023-45138

2023-10-1217:15:09

CWE-79

[email protected]

web.nvd.nist.gov

cve-2023-45138

change request

application security

script injection

remote code execution

vulnerability

nvd

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

69.5%

JSON

Change Request is an pplication allowing users to request changes on a wiki without publishing the changes directly. Starting in version 0.11 and prior to version 1.9.2, it’s possible for a user without any specific right to perform script injection and remote code execution just by inserting an appropriate title when creating a new Change Request. This vulnerability is particularly critical as Change Request aims at being created by user without any particular rights. The vulnerability has been fixed in Change Request 1.9.2. It’s possible to workaround the issue without upgrading by editing the document ChangeRequest.Code.ChangeRequestSheet and by performing the same change as in the fix commit.

Affected configurations

Vulners

NVD

Node

xwiki-contribapplication_changerequestRange0.11–1.9.2

CPENameOperatorVersion
xwiki:change_requestxwiki change requestlt1.9.2

CPE	Name	Operator	Version
xwiki:change_request	xwiki change request	lt	1.9.2

CNA Affected

[
  {
    "vendor": "xwiki-contrib",
    "product": "application-changerequest",
    "versions": [
      {
        "version": ">= 0.11, < 1.9.2",
        "status": "affected"
      }
    ]
  }
]