Lucene search

GitHub_MCVELIST:CVE-2023-29524

HistoryApr 18, 2023 - 11:04 p.m.

CVE-2023-29524 Code injection from account through XWiki.SchedulerJobSheet in xwiki-platform

2023-04-1823:04:48

CWE-74

GitHub_M

www.cve.org

cve-2023-29524

code injection

xwiki platform

schedulerjobsheet

xwiki 14.10.3

xwiki 15.0 rc1

upgrade

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

50.5%

JSON

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It’s possible to execute anything with the right of the Scheduler Application sheet page. A user without script or programming rights, edit your user profile with the object editor and add a new object of type XWiki.SchedulerJobClass, In “Job Script”, groovy code can be added and will be executed in the server context on viewing. This has been patched in XWiki 14.10.3 and 15.0 RC1. Users are advised to upgrade. There are no known workarounds for this issue.

CNA Affected

[
  {
    "vendor": "xwiki",
    "product": "xwiki-platform",
    "versions": [
      {
        "version": "< 14.10.3",
        "status": "affected"
      }
    ]
  }
]

References

github.com/xwiki/xwiki-platform/security/advisories/GHSA-fc42-5w56-qw7h

jira.xwiki.org/browse/XWIKI-20295

jira.xwiki.org/browse/XWIKI-20462

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

50.5%

JSON

Related for CVELIST:CVE-2023-29524