Home > Vulnerability Database > CVE-2023-29519

Mend.io Vulnerability Database

CVE-2023-29519

Good to know:

Date: April 18, 2023

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A registered user can perform remote code execution leading to privilege escalation by injecting the proper code in the "property" field of an attachment selector, as a gadget of their own dashboard. Note that the vulnerability does not impact comments of a wiki. The vulnerability has been patched in XWiki 13.10.11, 14.4.8, 14.10.2, 15.0-rc-1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: Java

Severity Score

9.0

Related Resources (6)

Url: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-3hjg-cghv-22ww

Url: https://jira.xwiki.org/browse/XWIKI-20364

Url: https://github.com/xwiki/xwiki-platform

Url: https://github.com/xwiki/xwiki-platform/commit/5e8725b4272cd3e5be09d3ca84273be2da6869c1

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-29519

Url: https://www.mend.io/vulnerability-database/CVE-2023-29519

Severity Score

9.0

Weakness Type (CWE)

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

Top Fix

Upgrade Version

Upgrade to version org.xwiki.platform:xwiki-platform-attachment-ui:14.10.2;org.xwiki.platform:xwiki-platform-attachment-ui:13.10.11;org.xwiki.platform:xwiki-platform-attachment-ui:14.4.8

Learn More

CVSS v3.1

Base Score:	9.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-29519

Good to know:

Date: April 18, 2023

Language: Java

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?