Lucene search

GitHub_MCVELIST:CVE-2023-26474

HistoryMar 02, 2023 - 6:12 p.m.

CVE-2023-26474 XWiki Platform vulnerable to privilege escalation via properties with wiki syntax that are executed with wrong author

2023-03-0218:12:16

CWE-284

GitHub_M

www.cve.org

xwiki platform

privilege escalation

wiki syntax

execution

security vulnerability

patch

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.9%

JSON

XWiki Platform is a generic wiki platform. Starting in version 13.10, it’s possible to use the right of an existing document content author to execute a text area property. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. There are no known workarounds.

CNA Affected

[
  {
    "vendor": "xwiki",
    "product": "xwiki-platform",
    "versions": [
      {
        "version": ">= 13.10, < 13.10.11",
        "status": "affected"
      },
      {
        "version": ">= 14.0, < 14.4.7",
        "status": "affected"
      },
      {
        "version": ">= 14.5, < 14.10",
        "status": "affected"
      }
    ]
  }
]

References

github.com/xwiki/xwiki-platform/security/advisories/GHSA-3738-p9x3-mv9r

jira.xwiki.org/browse/XWIKI-20373

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.9%

JSON

Related for CVELIST:CVE-2023-26474