Lucene search

PRIOn knowledge basePRION:CVE-2023-29211

HistoryApr 16, 2023 - 7:15 a.m.

Code injection

2023-04-1607:15:00

PRIOn knowledge base

www.prio-n.com

xwiki commons

code injection

arbitrary code execution

patch

versions 13.10.11

14.4.7

14.10

security vulnerability

8.9 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.9%

JSON

XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights WikiManager.DeleteWiki can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the wikiId url parameter. The problem has been patched on XWiki 13.10.11, 14.4.7, and 14.10.

CPENameOperatorVersion
xwikige14.4.0
xwikilt14.4.7
xwikilt13.10.11
xwikieq14.10 rc1

Name	Operator	Version
xwiki	ge	14.4.0
xwiki	lt	14.4.7
xwiki	lt	13.10.11
xwiki	eq	14.10 rc1

References

github.com/xwiki/xwiki-platform/commit/ba4c76265b0b8a5e2218be400d18f08393fe1428

github.com/xwiki/xwiki-platform/security/advisories/GHSA-w7v9-fc49-4qg4

jira.xwiki.org/browse/XWIKI-20297