PT-2023-4806 · Xwiki · Xwiki Platform
Michael Hamann
·
Published
2023-08-17
·
Updated
2023-08-24
·
CVE-2023-37914
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
XWiki Platform versions prior to 14.4.8
XWiki Platform versions prior to 14.10.6
XWiki Platform versions prior to 15.2-rc-1
Description
The issue concerns the XWiki Platform, a generic wiki platform offering runtime services for applications built on top of it. Any user who can view
Invitation.WebHome can execute arbitrary script macros, including Groovy and Python macros, allowing remote code execution with unrestricted read and write access to all wiki contents.Recommendations
For XWiki Platform versions prior to 14.4.8, upgrade to version 14.4.8 or later.
For XWiki Platform versions prior to 14.10.6, upgrade to version 14.10.6 or later.
For XWiki Platform versions prior to 15.2-rc-1, upgrade to version 15.2-rc-1 or later.
As a temporary workaround for users unable to upgrade, manually apply the patch on
Invitation.InvitationCommon and Invitation.InvitationConfig.Exploit
Fix
RCE
Code Injection
Eval Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Xwiki Platform