PT-2023-22764 · Xwiki · Xwiki Platform
Michael Hamann
·
Published
2023-04-12
·
Updated
2023-04-26
·
CVE-2023-30537
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
XWiki Platform versions prior to 13.10.11
XWiki Platform versions prior to 14.4.7
XWiki Platform versions prior to 14.10
Description
The issue allows any user with the right to add an object on a page to execute arbitrary Groovy, Python, or Velocity code in XWiki, leading to full access to the XWiki installation. The root cause is improper escaping of the styles properties
FlamingoThemesCode.WebHome. This page is installed by default.Recommendations
For XWiki Platform versions prior to 13.10.11, update to version 13.10.11 or later.
For XWiki Platform versions prior to 14.4.7, update to version 14.4.7 or later.
For XWiki Platform versions prior to 14.10, update to version 14.10 or later.
As a temporary workaround, consider restricting access to the
FlamingoThemesCode.WebHome page to minimize the risk of exploitation.Exploit
Fix
Code Injection
Eval Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Xwiki Platform