Vulnerability DatabaseCVE-2023-29525
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2023-29525
April 18, 2023
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Affected versions of xwiki are subject to code injection in the `since` parameter of the `/xwiki/bin/view/XWiki/Notifications/Code/LegacyNotificationAdministration` endpoint. This provides an XWiki syntax injection attack via the since-parameter, allowing privilege escalation from view to programming rights and subsequent code execution privilege. The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.3, 14.4.8 and 14.10.3. Users are advised to upgrade. Users unable to upgrade may modify the page `XWiki.Notifications.Code.LegacyNotificationAdministration` to add the missing escaping. For versions < 14.6-rc-1 a workaround is to modify the file `<xwikiwebapp>/templates/distribution/eventmigration.wiki` to add the missing escaping.
Affected Packages
org.xwiki.platform:xwiki-platform-distribution-war (JAVA):
Affected version(s) >=14.0-rc-1 <14.4.8
Fix Suggestion:
Update to version 14.4.8
org.xwiki.platform:xwiki-platform-distribution-war (JAVA):
Affected version(s) >=12.6.1 <13.10.11
Fix Suggestion:
Update to version 13.10.11
org.xwiki.platform:xwiki-platform-distribution-war (JAVA):
Affected version(s) =14.5 <14.6-rc-1
Fix Suggestion:
Update to version 14.6-rc-1
org.xwiki.platform:xwiki-platform-legacy-events-hibernate-ui (JAVA):
Affected version(s) >=14.6-rc-1 <14.10.3
Fix Suggestion:
Update to version 14.10.3
Related ResourcesĀ (6)
https://github.com/xwiki/xwiki-platform
https://github.com/xwiki/xwiki-platform/commit/6d74e2e4aa03d19f0be385ab63ae9e0f0e90a766
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jgg7-w2rj-58cj
https://jira.xwiki.org/browse/XWIKI-20287
https://nvd.nist.gov/vuln/detail/CVE-2023-29525
https://github.com/xwiki/xwiki-platform/commit/8e7c7f90f2ddaf067cb5b83b181af41513028754#diff-4e13f4ee4a42938bf1201b7ee71ca32edeacba22559daf0bcb89d534e0225949R70
Do you need more information?
Contact Us
CVSS v4
Base Score:
9.4
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
CVSS v3
Base Score:
9.9
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-74
EPSS
Base Score:
19.00