CVE-2023-29507

EPSS 0.65%
Veröffentlicht 16.04.2023 07:15:53
Zuletzt bearbeitet 06.02.2025 17:15:16
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking rights. The problem has been patched in XWiki 14.10 and 14.4.7 by returning a safe script API.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Xwiki ≫ Xwiki Version >= 14.4.1 < 14.4.7

Xwiki ≫ Xwiki Version14.10 Updaterc1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.65%	0.694

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.1	2.3	6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE-648 Incorrect Use of Privileged APIs

The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.

https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83

Patch

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c

Vendor Advisory

https://jira.xwiki.org/browse/XWIKI-20380

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2023-29507

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-29507

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-29507

EUVD