Lucene search

GitHub_MCVELIST:CVE-2023-29507

HistoryApr 16, 2023 - 6:52 a.m.

CVE-2023-29507 org.xwiki.platform:xwiki-platform-oldcore makes Incorrect Use of Privileged APIs with DocumentAuthors

2023-04-1606:52:19

CWE-648

GitHub_M

www.cve.org

cve-2023-29507

xwiki commons

privilege escalation

documentauthors

xwiki 14.10

xwiki 14.4.7

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

72.2%

JSON

XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking rights. The problem has been patched in XWiki 14.10 and 14.4.7 by returning a safe script API.

CNA Affected

[
  {
    "vendor": "xwiki",
    "product": "xwiki-platform",
    "versions": [
      {
        "version": ">= 14.5, < 14.10",
        "status": "affected"
      },
      {
        "version": ">= 14.4.1, < 14.4.7",
        "status": "affected"
      }
    ]
  }
]

References

github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83

github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c

jira.xwiki.org/browse/XWIKI-20380

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

72.2%

JSON

Related for CVELIST:CVE-2023-29507