9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
68.7%
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Affected versions of xwiki are subject to code injection in the since
parameter of the /xwiki/bin/view/XWiki/Notifications/Code/LegacyNotificationAdministration
endpoint. This provides an XWiki syntax injection attack via the since-parameter, allowing privilege escalation from view to programming rights and subsequent code execution privilege. The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.3, 14.4.8 and 14.10.3. Users are advised to upgrade. Users unable to upgrade may modify the page XWiki.Notifications.Code.LegacyNotificationAdministration
to add the missing escaping. For versions < 14.6-rc-1 a workaround is to modify the file <xwikiwebapp>/templates/distribution/eventmigration.wiki
to add the missing escaping.
[
{
"vendor": "xwiki",
"product": "xwiki-platform",
"versions": [
{
"version": "< 14.4.8",
"status": "affected"
},
{
"version": ">= 14.5.0, < 14.10.3.",
"status": "affected"
}
]
}
]
github.com/xwiki/xwiki-platform/commit/6d74e2e4aa03d19f0be385ab63ae9e0f0e90a766
github.com/xwiki/xwiki-platform/commit/8e7c7f90f2ddaf067cb5b83b181af41513028754#diff-4e13f4ee4a42938bf1201b7ee71ca32edeacba22559daf0bcb89d534e0225949R70
github.com/xwiki/xwiki-platform/security/advisories/GHSA-jgg7-w2rj-58cj
jira.xwiki.org/browse/XWIKI-20287
9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
10 High
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
68.7%