Lucene search

PRIOn knowledge basePRION:CVE-2023-30537

HistoryApr 16, 2023 - 8:15 a.m.

Design/Logic Flaw

2023-04-1608:15:00

PRIOn knowledge base

www.prio-n.com

design flaw

logic flaw

xwiki platform

arbitrary code execution

improper escaping

flamingothemescode

vulnerability

patched

nvd

8.9 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.3%

JSON

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with the right to add an object on a page can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the styles properties FlamingoThemesCode.WebHome. This page is installed by default. The vulnerability has been patched in XWiki versions 13.10.11, 14.4.7 and 14.10.

CPENameOperatorVersion
xwikige14.5
xwikilt14.10
xwikige14.0
xwikilt14.4.7
xwikige12.6.6
xwikilt13.10.11

Name	Operator	Version
xwiki	ge	14.5
xwiki	lt	14.10
xwiki	ge	14.0
xwiki	lt	14.4.7
xwiki	ge	12.6.6
xwiki	lt	13.10.11

References

github.com/xwiki/xwiki-platform/commit/df596f15368342236f8899ca122af8f3df0fe2e8

github.com/xwiki/xwiki-platform/security/advisories/GHSA-vrr8-fp7c-7qgp

jira.xwiki.org/browse/XWIKI-20280