CVE-2023-26477

2023-03-0218:15:10

CWE-94

CWE-95

[email protected]

web.nvd.nist.gov

xwiki platform

injection vulnerability

arbitrary syntax

patched versions

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

70.3%

JSON

XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it’s possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the newThemeName request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit FlamingoThemesCode.WebHomeSheet and manually perform the changes from the patch fixing the issue.

Affected configurations

NVD

Node

xwikixwikiRange6.2.4–13.10.10

xwikixwikiRange14.0–14.4.6

xwikixwikiRange14.5–14.9

References

github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284

github.com/xwiki/xwiki-platform/security/advisories/GHSA-x2qm-r4wx-8gpg

jira.xwiki.org/browse/XWIKI-19757