Lucene search

[email protected]NVD:CVE-2023-29206

HistoryApr 15, 2023 - 4:15 p.m.

CVE-2023-29206

2023-04-1516:15:07

CWE-79

[email protected]

web.nvd.nist.gov

cve-2023-29206

xwiki commons

security patch

javascript

stylesheet

xwiki documents

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

9.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

32.6%

JSON

XWiki Commons are technical libraries common to several other top level XWiki projects. There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object and to craft a script allowing to perform some operations when executing by a user with appropriate rights. This has been patched in XWiki 14.9-rc-1 by only executing the script if the author of it has Script rights.

Affected configurations

NVD

Node

xwikixwikiRange3.0–14.8

xwikixwikiMatch3.0-

xwikixwikiMatch3.0milestone_2

xwikixwikiMatch3.0milestone3

xwikixwikiMatch3.0rc1

References

github.com/xwiki/xwiki-platform/commit/fe65bc35d5672dd2505b7ac4ec42aec57d500fbb

github.com/xwiki/xwiki-platform/security/advisories/GHSA-cmvg-w72j-7phx

jira.xwiki.org/browse/XWIKI-19514

jira.xwiki.org/browse/XWIKI-19583

jira.xwiki.org/browse/XWIKI-9119