Home > Vulnerability Database > CVE-2023-29524

Mend.io Vulnerability Database

CVE-2023-29524

Good to know:

Date: April 18, 2023

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute anything with the right of the Scheduler Application sheet page. A user without script or programming rights, edit your user profile with the object editor and add a new object of type XWiki.SchedulerJobClass, In "Job Script", groovy code can be added and will be executed in the server context on viewing. This has been patched in XWiki 14.10.3 and 15.0 RC1. Users are advised to upgrade. There are no known workarounds for this issue.

Language: Java

Severity Score

8.8

Related Resources (5)

Url: https://jira.xwiki.org/browse/XWIKI-20295

Url: https://jira.xwiki.org/browse/XWIKI-20462

Url: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fc42-5w56-qw7h

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-29524

Url: https://www.mend.io/vulnerability-database/CVE-2023-29524

Severity Score

8.8

Weakness Type (CWE)

Injection

CWE-74

Top Fix

Upgrade Version

Upgrade to version org.xwiki.platform:xwiki-platform-scheduler-ui:14.10.3

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-29524

Good to know:

Date: April 18, 2023

Language: Java

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?