Home > Vulnerability Database > CVE-2023-30537

Mend.io Vulnerability Database

CVE-2023-30537

Good to know:

Date: April 16, 2023

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with the right to add an object on a page can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the styles properties "FlamingoThemesCode.WebHome". This page is installed by default. The vulnerability has been patched in XWiki versions 13.10.11, 14.4.7 and 14.10.

Language: Java

Severity Score

9.9

Related Resources (6)

Url: https://github.com/xwiki/xwiki-platform

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-30537

Url: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vrr8-fp7c-7qgp

Url: https://jira.xwiki.org/browse/XWIKI-20280

Url: https://github.com/xwiki/xwiki-platform/commit/df596f15368342236f8899ca122af8f3df0fe2e8

Url: https://www.mend.io/vulnerability-database/CVE-2023-30537

Severity Score

9.9

Weakness Type (CWE)

Improper Control of Generation of Code ('Code Injection')

CWE-94

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

CWE-95

Top Fix

Upgrade Version

Upgrade to version org.xwiki.platform:xwiki-platform-flamingo-theme-ui:13.10.11;org.xwiki.platform:xwiki-platform-flamingo-theme-ui:14.4.7;org.xwiki.platform:xwiki-platform-flamingo-theme-ui:14.10

Learn More

CVSS v3.1

Base Score:	9.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2023-30537

Good to know:

Date: April 16, 2023

Language: Java

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?