6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.01 Low
EPSS
Percentile
83.6%
A user without Script or Programming right is able to execute script requiring privileges by editing gadget titles in the dashboard.
The issue has been patched in XWiki 12.6.7, 12.10.3 and 13.0RC1.
There’s no easy workaround for this issue, it is recommended to upgrade XWiki.
https://jira.xwiki.org/browse/XWIKI-17794
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
org.xwiki.commons:xwiki-commons-core | lt | 12.10.3 | |
org.xwiki.commons:xwiki-commons-core | lt | 12.6.7 |
github.com/advisories/GHSA-h353-hc43-95vc
github.com/xwiki/xwiki-platform/commit/bb7068bd911f91e5511f3cfb03276c7ac81100bc
github.com/xwiki/xwiki-platform/security/advisories/GHSA-h353-hc43-95vc
jay-from-future.github.io/cve/2021/06/17/xwiki-rce-cve.html
jira.xwiki.org/browse/XWIKI-17794
nvd.nist.gov/vuln/detail/CVE-2021-32621
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.01 Low
EPSS
Percentile
83.6%