Home > Vulnerability Database > CVE-2023-45138

Mend.io Vulnerability Database

CVE-2023-45138

Good to know:

Date: October 12, 2023

Change Request is an pplication allowing users to request changes on a wiki without publishing the changes directly. Starting in version 0.11 and prior to version 1.9.2, it's possible for a user without any specific right to perform script injection and remote code execution just by inserting an appropriate title when creating a new Change Request. This vulnerability is particularly critical as Change Request aims at being created by user without any particular rights. The vulnerability has been fixed in Change Request 1.9.2. It's possible to workaround the issue without upgrading by editing the document `ChangeRequest.Code.ChangeRequestSheet` and by performing the same change as in the fix commit.

Language: Java

Severity Score

9.6

Related Resources (5)

Url: https://jira.xwiki.org/browse/CRAPP-298

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-45138

Url: https://github.com/xwiki-contrib/application-changerequest/security/advisories/GHSA-f776-w9v2-7vfj

Url: https://github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4

Url: https://www.mend.io/vulnerability-database/CVE-2023-45138

Severity Score

9.6

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Top Fix

Upgrade Version

Upgrade to version org.xwiki.contrib.changerequest:application-changerequest-ui:1.9.2

Learn More

CVSS v3.1

Base Score:	9.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-45138

Good to know:

Date: October 12, 2023

Language: Java

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?