Lucene search

[email protected]NVD:CVE-2023-26475

HistoryMar 02, 2023 - 7:15 p.m.

CVE-2023-26475

2023-03-0219:15:11

CWE-269

CWE-270

[email protected]

web.nvd.nist.gov

xwiki

arbitrary code execution

remote attackers

upgrade

cve-2023-26475

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

50.2%

JSON

XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. There is no easy workaround except to upgrade.

Affected configurations

NVD

Node

xwikixwikiRange2.3–13.10.11

xwikixwikiRange14.0–14.4.7

xwikixwikiRange14.5–14.10

xwikixwikiMatch2.3milestone1

References

github.com/xwiki/xwiki-platform/commit/d87d7bfd8db18c20d3264f98c6deefeae93b99f7

github.com/xwiki/xwiki-platform/security/advisories/GHSA-h6f5-8jj5-cxhr

jira.xwiki.org/browse/XWIKI-20360

jira.xwiki.org/browse/XWIKI-20384

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

50.2%

JSON

Related for NVD:CVE-2023-26475

github1 osv2 prion1 cve1 cvelist1 openvas1