Lucene search

PRIOn knowledge basePRION:CVE-2023-26477

HistoryMar 02, 2023 - 6:15 p.m.

Design/Logic Flaw

2023-03-0218:15:00

PRIOn knowledge base

www.prio-n.com

xwiki platform

arbitrary injection

newthemename

patch

security flaw

workaround

9.4 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

70.3%

JSON

XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it’s possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the newThemeName request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit FlamingoThemesCode.WebHomeSheet and manually perform the changes from the patch fixing the issue.

CPENameOperatorVersion
xwikige14.5
xwikilt14.9
xwikige14.0
xwikilt14.4.6
xwikige6.2.4
xwikilt13.10.10

Name	Operator	Version
xwiki	ge	14.5
xwiki	lt	14.9
xwiki	ge	14.0
xwiki	lt	14.4.6
xwiki	ge	6.2.4
xwiki	lt	13.10.10

References

github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2

github.com/xwiki/xwiki-platform/security/advisories/GHSA-x2qm-r4wx-8gpg

jira.xwiki.org/browse/XWIKI-19757