PT-2023-22201 · Xwiki · Xwiki Commons

Fabian Hafner

Published

2023-04-12

Updated

2023-04-26

CVE-2023-29204

CVSS v3.1

4.7

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions XWiki Commons versions prior to 13.10.10 XWiki Commons versions prior to 14.4.4 XWiki Commons versions prior to 14.8RC1

Description It is possible to bypass the existing security measures put in place to avoid open redirect by using a redirect such as //mydomain.com (i.e. omitting the http:) or a URL such as http:/mydomain.com.

Recommendations For versions prior to 13.10.10, update to version 13.10.10 or later. For versions prior to 14.4.4, update to version 14.4.4 or later. For versions prior to 14.8RC1, update to version 14.8RC1 or later. As a temporary workaround, consider providing a patched jar of xwiki-platform-oldcore containing the necessary changes.

Exploit

Fix

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-601

Related Identifiers

CVE-2023-29204

GHSA-XWPH-X6XJ-WGGV

Affected Products

Xwiki Commons

PT-2023-22201 · Xwiki · Xwiki Commons

CVE-2023-29204

Weakness Enumeration

Related Identifiers

Affected Products

References · 11