CVE-2023-35152

Summary

XWiki Platform is a generic wiki platform. Starting in version 12.9-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.1, any logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation. The vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1. As a workaround, one may apply the patch manually.

Affected Software

VendorProductVersion RangeStatus
xwikixwiki-platform>= 12.9-rc-1, < 14.4.8affected
xwikixwiki-platform>= 14.5, < 14.10.6affected
xwikixwiki-platform>= 15.0-rc-1, < 15.1affected

Weaknesses

  • CWE-95: CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References