PT-2023-22288 · Xwiki · Xwiki

Rekter0

Published

2023-04-12

Updated

2023-04-26

CVE-2023-29506

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions XWiki versions 13.10.8 through 13.10.10 XWiki versions 14.4.3 through 14.4.6 XWiki versions 14.6 through 14.9

Description The issue allows code injection using the URL of authenticated endpoints, such as the /xwiki/authenticate/wiki/xwiki endpoint. This can be exploited by manipulating the URL to inject malicious code. The problem is present in several recent versions of XWiki.

Recommendations For XWiki versions 13.10.8 through 13.10.10, update to version 13.10.11. For XWiki versions 14.4.3 through 14.4.6, update to version 14.4.7. For XWiki versions 14.6 through 14.9, update to version 14.10.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2023-29506

GHSA-JJM5-5V9V-7HX2

Affected Products

Xwiki

PT-2023-22288 · Xwiki · Xwiki

CVE-2023-29506

Weakness Enumeration

Related Identifiers

Affected Products

References · 10