Lucene search
GitHub Advisory DatabaseGHSA-JGRG-QVPP-9VWRHistoryApr 20, 2023 - 10:25 p.m.
XWiki Platform vulnerable to code injection from account through AWM view sheet
2023-04-2022:25:02
CWE-74
GitHub Advisory Database
github.com
15
xwiki platform
code injection
account
awm view sheet
patch
workaround
security advisory
9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
51.1%
Impact
Steps to reproduce:
- As a user without script or programming right, edit your user profile (or any other document) with the wiki editor and add the content
{{groovy}}println("Hello " + "from Groovy!"){{/groovy}} - Edit the document with the object editor and add an object of type AppWithinMinutes.LiveTableClass (no values need to be set, just save)
- View the document
Patches
The vulnerability has been patched in XWiki 15.0-rc-1 and 14.10.3.
Workarounds
There is no known workaround.
References
https://jira.xwiki.org/browse/XWIKI-20423
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
Affected configurations
Node
org.xwiki.platform\Matchxwiki-platform-appwithinminutes
ORorg.xwiki.platform\Matchxwiki-platform-appwithinminutes
Related
cvelist
cvelist
cve
cve
CVE-2023-29527
2023-04-19 00:15:09
osv
osv
CVE-2023-29527
2023-04-19 00:15:09
prion
prion
Remote code execution
2023-04-19 00:15:00
openvas
openvas
XWiki 7.4.4 < 14.10.3 Code Injection Vulnerability (GHSA-jgrg-qvpp-9vwr)
2023-07-13 00:00:00
nvd
nvd
CVE-2023-29527
2023-04-19 00:15:09
9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
51.1%
Related for GHSA-JGRG-QVPP-9VWR