Lucene search

PRIOn knowledge basePRION:CVE-2023-29214

HistoryApr 16, 2023 - 7:15 a.m.

Code injection

2023-04-1607:15:00

PRIOn knowledge base

www.prio-n.com

xwiki commons

code injection

vulnerability

patched

versions 14.4.7

14.10

8.9 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.9%

JSON

XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the IncludedDocuments panel. The problem has been patched on XWiki 14.4.7, and 14.10.

CPENameOperatorVersion
xwikige14.4.0
xwikilt14.4.7
xwikilt13.10.11
xwikieq14.10 rc1

Name	Operator	Version
xwiki	ge	14.4.0
xwiki	lt	14.4.7
xwiki	lt	13.10.11
xwiki	eq	14.10 rc1

References

github.com/xwiki/xwiki-platform/commit/50b4d91418b4150933f0317eb4a94ceaf5b69f67

github.com/xwiki/xwiki-platform/security/advisories/GHSA-qx9h-c5v6-ghqh

jira.xwiki.org/browse/XWIKI-20306