Lucene search

[email protected]NVD:CVE-2023-29519

HistoryApr 19, 2023 - 12:15 a.m.

CVE-2023-29519

2023-04-1900:15:08

CWE-74

[email protected]

web.nvd.nist.gov

xwiki

remote code execution

attachment selector

privilege escalation

vulnerability

patch

upgrade

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.004

Percentile

72.7%

JSON

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A registered user can perform remote code execution leading to privilege escalation by injecting the proper code in the “property” field of an attachment selector, as a gadget of their own dashboard. Note that the vulnerability does not impact comments of a wiki. The vulnerability has been patched in XWiki 13.10.11, 14.4.8, 14.10.2, 15.0-rc-1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected configurations

Nvd

Node

xwikixwikiRange<13.10.11

xwikixwikiRange14.0–14.4.8

xwikixwikiRange14.5–14.10.2

VendorProductVersionCPE
xwikixwiki*cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
xwiki	xwiki	*	cpe:2.3:a:xwiki:xwiki::::::::

References

github.com/xwiki/xwiki-platform/commit/5e8725b4272cd3e5be09d3ca84273be2da6869c1

github.com/xwiki/xwiki-platform/security/advisories/GHSA-3hjg-cghv-22ww

jira.xwiki.org/browse/XWIKI-20364

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.004

Percentile

72.7%

JSON

Related for NVD:CVE-2023-29519

osv2 prion1 github1 openvas1 cve1 cvelist1