
We found results for “”
CVE-2023-26477
Good to know:

Date: March 2, 2023
XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the "newThemeName" request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit "FlamingoThemesCode.WebHomeSheet" and manually perform the changes from the patch fixing the issue.
Language: Java
Severity Score
Related Resources (6)
Severity Score
Weakness Type (CWE)
Top Fix

Upgrade Version
Upgrade to version org.xwiki.platform:xwiki-platform-flamingo-theme-ui:13.10.10;org.xwiki.platform:xwiki-platform-flamingo-theme-ui:14.4.6;org.xwiki.platform:xwiki-platform-flamingo-theme-ui:14.9-rc-1
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | CHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | HIGH |
Availability (A): | HIGH |