CVE-2023-26475
10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. There is no easy workaround except to upgrade.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| xwiki | xwiki-platform | >= 2.3-milestone-1, < 13.10.11 | affected |
| xwiki | xwiki-platform | >= 14.0-rc-1, < 14.4.7 | affected |
| xwiki | xwiki-platform | >= 14.5, < 14.10 | affected |
Weaknesses
- CWE-270: CWE-270: Privilege Context Switching Error
- CWE-269: CWE-269: Improper Privilege Management
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h6f5-8jj5-cxhr
- https://github.com/xwiki/xwiki-platform/commit/d87d7bfd8db18c20d3264f98c6deefeae93b99f7
- https://jira.xwiki.org/browse/XWIKI-20360
- https://jira.xwiki.org/browse/XWIKI-20384
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h6f5-8jj5-cxhr
- https://github.com/xwiki/xwiki-platform/commit/d87d7bfd8db18c20d3264f98c6deefeae93b99f7
- https://jira.xwiki.org/browse/XWIKI-20360
- https://jira.xwiki.org/browse/XWIKI-20384
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.