Lucene search

PRIOn knowledge basePRION:CVE-2023-26475

HistoryMar 02, 2023 - 7:15 p.m.

Code injection

2023-03-0219:15:00

PRIOn knowledge base

www.prio-n.com

xwiki platform

vulnerability

code injection

8.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

50.2%

JSON

XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. There is no easy workaround except to upgrade.

CPENameOperatorVersion
xwikige14.5
xwikilt14.10
xwikige14.0
xwikilt14.4.7
xwikigt2.3
xwikilt13.10.11
xwikieq2.3 milestone1

Name	Operator	Version
xwiki	ge	14.5
xwiki	lt	14.10
xwiki	ge	14.0
xwiki	lt	14.4.7
xwiki	gt	2.3
xwiki	lt	13.10.11
xwiki	eq	2.3 milestone1

References

github.com/xwiki/xwiki-platform/commit/d87d7bfd8db18c20d3264f98c6deefeae93b99f7

github.com/xwiki/xwiki-platform/security/advisories/GHSA-h6f5-8jj5-cxhr

jira.xwiki.org/browse/XWIKI-20360

jira.xwiki.org/browse/XWIKI-20384