CVE-2023-29507

EPSS 0.65%
Published 16.04.2023 07:15:53
Last modified 06.02.2025 17:15:16
Source security-advisories@github.com
Teams watchlist Login
Open Login

XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking rights. The problem has been patched in XWiki 14.10 and 14.4.7 by returning a safe script API.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Xwiki ≫ Xwiki Version >= 14.4.1 < 14.4.7

Xwiki ≫ Xwiki Version14.10 Updaterc1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.65%	0.694

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.1	2.3	6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE-648 Incorrect Use of Privileged APIs

The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.

https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83

Patch

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c

Vendor Advisory

https://jira.xwiki.org/browse/XWIKI-20380

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2023-29507

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-29507

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-29507

EUVD