PT-2023-22207 · Xwiki · Xwiki
Michael Hamann
·
Published
2023-04-12
·
Updated
2023-04-26
·
CVE-2023-29211
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
XWiki versions prior to 13.10.11
XWiki versions prior to 14.4.7
XWiki versions prior to 14.10
Description
The issue allows any user with view rights
WikiManager.DeleteWiki to execute arbitrary Groovy, Python, or Velocity code in XWiki, leading to full access to the XWiki installation. The root cause is improper escaping of the wikiId url parameter.Recommendations
For XWiki versions prior to 13.10.11, update to version 13.10.11 or later.
For XWiki versions prior to 14.4.7, update to version 14.4.7 or later.
For XWiki versions prior to 14.10, update to version 14.10 or later.
As a temporary workaround, consider restricting access to the
WikiManager.DeleteWiki function until a patch is applied.
Avoid using the wikiId parameter in the affected API endpoint until the issue is resolved.Exploit
Fix
Code Injection
Eval Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Xwiki