Lucene search

PRIOn knowledge basePRION:CVE-2023-29523

HistoryApr 19, 2023 - 12:15 a.m.

Remote code execution

2023-04-1900:15:00

PRIOn knowledge base

www.prio-n.com

xwiki

remote code execution

vulnerability

patch

version 13.10.11

version 14.4.8

version 14.10.2

version 15.0rc1

9 High

AI Score

Confidence

High

0.006 Low

EPSS

Percentile

79.3%

JSON

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can edit their own user profile can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The same vulnerability can also be exploited in other contexts where the display method on a document is used to display a field with wiki syntax, for example in applications created using App Within Minutes. This has been patched in XWiki 13.10.11, 14.4.8, 14.10.2 and 15.0RC1. There is no workaround apart from upgrading.

CPENameOperatorVersion
xwikilt13.10.11
xwikige14.0
xwikilt14.4.8
xwikige14.5
xwikilt14.10.2

Name	Operator	Version
xwiki	lt	13.10.11
xwiki	ge	14.0
xwiki	lt	14.4.8
xwiki	ge	14.5
xwiki	lt	14.10.2

References

extensions.xwiki.org/xwiki/bin/view/Extension/App%20Within%20Minutes%20Application

github.com/xwiki/xwiki-platform/commit/0d547181389f7941e53291af940966413823f61c

github.com/xwiki/xwiki-platform/security/advisories/GHSA-x764-ff8r-9hpx

jira.xwiki.org/browse/XWIKI-20327