9.9

CVE-2023-26471

Exploit

EPSS 1.74%
Published 02.03.2023 19:15:11
Last modified 21.11.2024 07:51:34
Source security-advisories@github.com
Teams watchlist Login
Open Login

XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode (anything dangerous is disabled), but the async macro does not take into account the restricted mode. This means that any user with comment right can use the async macro to make it execute any wiki content with the right of superadmin. This has been patched in XWiki 14.9, 14.4.6, and 13.10.10. The only known workaround consists of applying a patch and rebuilding and redeploying `org.xwiki.platform:xwiki-platform-rendering-async-macro`.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Xwiki ≫ Xwiki Version >= 11.6 < 13.10.10

Xwiki ≫ Xwiki Version >= 14.0 < 14.4.6

Xwiki ≫ Xwiki Version >= 14.5 < 14.9

Xwiki ≫ Xwiki Version11.6 Updaterc1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.74%	0.814

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.9	3.1	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://github.com/xwiki/xwiki-platform/commit/00532d9f1404287cf3ec3a05056640d809516006

Patch

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9cqm-5wf7-wcj7

Vendor Advisory

https://jira.xwiki.org/browse/XWIKI-20234

Patch

Vendor Advisory

Exploit

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2023-26471

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-26471

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-26471

EUVD