Lucene search

[email protected]NVD:CVE-2023-45138

HistoryOct 12, 2023 - 5:15 p.m.

CVE-2023-45138

2023-10-1217:15:09

CWE-79

[email protected]

web.nvd.nist.gov

change request

unauthorized users

script injection

remote code execution

version 1.9.2 fix

9.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

10 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

69.5%

JSON

Change Request is an pplication allowing users to request changes on a wiki without publishing the changes directly. Starting in version 0.11 and prior to version 1.9.2, it’s possible for a user without any specific right to perform script injection and remote code execution just by inserting an appropriate title when creating a new Change Request. This vulnerability is particularly critical as Change Request aims at being created by user without any particular rights. The vulnerability has been fixed in Change Request 1.9.2. It’s possible to workaround the issue without upgrading by editing the document ChangeRequest.Code.ChangeRequestSheet and by performing the same change as in the fix commit.

Affected configurations

NVD

Node

xwikichange_requestRange0.11–1.9.2

References

github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4

github.com/xwiki-contrib/application-changerequest/security/advisories/GHSA-f776-w9v2-7vfj

jira.xwiki.org/browse/CRAPP-298

9.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

10 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

69.5%

JSON

Related for NVD:CVE-2023-45138

osv2 cve1 prion1 cvelist1 github1