CVE-2023-26475

Exploit

EPSS 29.36%
Veröffentlicht 02.03.2023 19:15:11
Zuletzt bearbeitet 21.11.2024 07:51:35
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. There is no easy workaround except to upgrade.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Xwiki ≫ Xwiki Version > 2.3 < 13.10.11

Xwiki ≫ Xwiki Version >= 14.0 < 14.4.7

Xwiki ≫ Xwiki Version >= 14.5 < 14.10

Xwiki ≫ Xwiki Version2.3 Updatemilestone1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	29.36%	0.963

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.9	3.1	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CWE-270 Privilege Context Switching Error

The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.

https://github.com/xwiki/xwiki-platform/commit/d87d7bfd8db18c20d3264f98c6deefeae93b99f7

Patch

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h6f5-8jj5-cxhr

Vendor Advisory

Exploit

https://jira.xwiki.org/browse/XWIKI-20360

Patch

Vendor Advisory

Exploit

Issue Tracking

https://jira.xwiki.org/browse/XWIKI-20384

Patch