CVE-2023-26477 org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability

2023-03-0217:52:40

CWE-95

GitHub_M

www.cve.org

xwiki platform

flamingo theme

eval injection

6.3-rc-1

6.2.4

13.10.10

14.9-rc-1

14.4.6

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

70.3%

JSON

XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it’s possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the newThemeName request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit FlamingoThemesCode.WebHomeSheet and manually perform the changes from the patch fixing the issue.

CNA Affected

[
  {
    "vendor": "xwiki",
    "product": "xwiki-platform",
    "versions": [
      {
        "version": ">= 6.2.4, < 13.10.10",
        "status": "affected"
      },
      {
        "version": ">= 14.0, < 14.4.6",
        "status": "affected"
      },
      {
        "version": ">= 14.5, < 14.9-rc-1",
        "status": "affected"
      }
    ]
  }
]

References

github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284

github.com/xwiki/xwiki-platform/security/advisories/GHSA-x2qm-r4wx-8gpg

jira.xwiki.org/browse/XWIKI-19757