Vulnerability Details CVE-2023-29212
XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the included documents edit panel. The problem has been patched on XWiki 14.4.7, and 14.10.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.083
EPSS Ranking 91.8%
CVSS Severity
CVSS v3 Score 9.9
References
- https://github.com/xwiki/xwiki-platform/commit/22f249a0eb9f2a64214628217e812a994419b69f#diff-a51a252f0190274464027342b4e3eafc4ae32de4d9c17ef166e54fc5454c5689R214-R217
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c5f4-p5wv-2475
- https://jira.xwiki.org/browse/XWIKI-20293
- https://github.com/xwiki/xwiki-platform/commit/22f249a0eb9f2a64214628217e812a994419b69f#diff-a51a252f0190274464027342b4e3eafc4ae32de4d9c17ef166e54fc5454c5689R214-R217
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c5f4-p5wv-2475
- https://jira.xwiki.org/browse/XWIKI-20293
Products affected by CVE-2023-29212
-
cpe:2.3:a:xwiki:xwiki:14.0
-
cpe:2.3:a:xwiki:xwiki:14.1
-
cpe:2.3:a:xwiki:xwiki:14.10
-
cpe:2.3:a:xwiki:xwiki:14.2
-
cpe:2.3:a:xwiki:xwiki:14.2.1
-
cpe:2.3:a:xwiki:xwiki:14.3
-
cpe:2.3:a:xwiki:xwiki:14.3.1
-
cpe:2.3:a:xwiki:xwiki:14.4
-
cpe:2.3:a:xwiki:xwiki:14.4.3
-
cpe:2.3:a:xwiki:xwiki:14.4.4
-
cpe:2.3:a:xwiki:xwiki:14.4.5
-
cpe:2.3:a:xwiki:xwiki:14.4.6