PT-2023-8598 · Xwiki · Xwiki Platform

Michael Hamann

Published

2023-04-18

Updated

2023-04-28

CVE-2023-29513

CVSS v3.1

5.0

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.10.1 XWiki Platform versions prior to 15.0-rc-1

Description The issue is related to insufficient access control in the XWiki Platform, allowing a remote attacker to create a new user. This can be achieved by exploiting the distribution/firstadminuser.wiki in the wrong context, if a guest has view rights on any document.

Recommendations For versions prior to 14.10.1, upgrade to version 14.10.1 or later. For versions prior to 15.0-rc-1, upgrade to version 15.0-rc-1 or later. As a temporary workaround, consider restricting guest view rights on documents to minimize the risk of exploitation.

Exploit

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

BDU:2024-01251

CVE-2023-29513

GHSA-FP36-MJW5-FMGX

Affected Products

Xwiki Platform

PT-2023-8598 · Xwiki · Xwiki Platform

CVE-2023-29513

Weakness Enumeration

Related Identifiers

Affected Products

References · 10