CVE-2023-26473 XWiki Platform allows unprivileged users to make arbitrary select queries using DatabaseListProperty and suggest.vm

2023-03-0218:17:09

CWE-284

GitHub_M

www.cve.org

xwiki platform

vulnerability

unprivileged

database

select queries

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

33.6%

JSON

XWiki Platform is a generic wiki platform. Starting in version 1.3-rc-1, any user with edit right can execute arbitrary database select and access data stored in the database. The problem has been patched in XWiki 13.10.11, 14.4.7, and 14.10. There is no workaround for this vulnerability other than upgrading.

CNA Affected

[
  {
    "vendor": "xwiki",
    "product": "xwiki-platform",
    "versions": [
      {
        "version": ">= 1.3-rc-1, < 13.10.11",
        "status": "affected"
      },
      {
        "version": ">= 14.0, < 14.4.7",
        "status": "affected"
      },
      {
        "version": ">= 14.5, < 14.10",
        "status": "affected"
      }
    ]
  }
]