Vulnerability Details CVE-2023-30537
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with the right to add an object on a page can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the styles properties `FlamingoThemesCode.WebHome`. This page is installed by default. The vulnerability has been patched in XWiki versions 13.10.11, 14.4.7 and 14.10.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.022
EPSS Ranking 83.5%
CVSS Severity
CVSS v3 Score 9.9
References
- https://github.com/xwiki/xwiki-platform/commit/df596f15368342236f8899ca122af8f3df0fe2e8
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vrr8-fp7c-7qgp
- https://jira.xwiki.org/browse/XWIKI-20280
- https://github.com/xwiki/xwiki-platform/commit/df596f15368342236f8899ca122af8f3df0fe2e8
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vrr8-fp7c-7qgp
- https://jira.xwiki.org/browse/XWIKI-20280
Products affected by CVE-2023-30537
-
cpe:2.3:a:xwiki:xwiki:12.10
-
cpe:2.3:a:xwiki:xwiki:12.10.1
-
cpe:2.3:a:xwiki:xwiki:12.10.10
-
cpe:2.3:a:xwiki:xwiki:12.10.11
-
cpe:2.3:a:xwiki:xwiki:12.10.2
-
cpe:2.3:a:xwiki:xwiki:12.10.3
-
cpe:2.3:a:xwiki:xwiki:12.10.4
-
cpe:2.3:a:xwiki:xwiki:12.10.5
-
cpe:2.3:a:xwiki:xwiki:12.10.6
-
cpe:2.3:a:xwiki:xwiki:12.10.7
-
cpe:2.3:a:xwiki:xwiki:12.10.8
-
cpe:2.3:a:xwiki:xwiki:12.10.9
-
cpe:2.3:a:xwiki:xwiki:12.6.6
-
cpe:2.3:a:xwiki:xwiki:12.6.7
-
cpe:2.3:a:xwiki:xwiki:12.6.8
-
cpe:2.3:a:xwiki:xwiki:12.7
-
cpe:2.3:a:xwiki:xwiki:12.7.1
-
cpe:2.3:a:xwiki:xwiki:12.8
-
cpe:2.3:a:xwiki:xwiki:12.9
-
cpe:2.3:a:xwiki:xwiki:13.0
-
cpe:2.3:a:xwiki:xwiki:13.1
-
cpe:2.3:a:xwiki:xwiki:13.10
-
cpe:2.3:a:xwiki:xwiki:13.10.1
-
cpe:2.3:a:xwiki:xwiki:13.10.10
-
cpe:2.3:a:xwiki:xwiki:13.10.2
-
cpe:2.3:a:xwiki:xwiki:13.10.3
-
cpe:2.3:a:xwiki:xwiki:13.10.4
-
cpe:2.3:a:xwiki:xwiki:13.10.5
-
cpe:2.3:a:xwiki:xwiki:13.10.6
-
cpe:2.3:a:xwiki:xwiki:13.10.8
-
cpe:2.3:a:xwiki:xwiki:13.2
-
cpe:2.3:a:xwiki:xwiki:13.3
-
cpe:2.3:a:xwiki:xwiki:13.4
-
cpe:2.3:a:xwiki:xwiki:13.4.1
-
cpe:2.3:a:xwiki:xwiki:13.4.2
-
cpe:2.3:a:xwiki:xwiki:13.4.3
-
cpe:2.3:a:xwiki:xwiki:13.4.4
-
cpe:2.3:a:xwiki:xwiki:13.4.5
-
cpe:2.3:a:xwiki:xwiki:13.4.6
-
cpe:2.3:a:xwiki:xwiki:13.4.7
-
cpe:2.3:a:xwiki:xwiki:13.5
-
cpe:2.3:a:xwiki:xwiki:13.6
-
cpe:2.3:a:xwiki:xwiki:13.7
-
cpe:2.3:a:xwiki:xwiki:13.8
-
cpe:2.3:a:xwiki:xwiki:13.9
-
cpe:2.3:a:xwiki:xwiki:14.0
-
cpe:2.3:a:xwiki:xwiki:14.1
-
cpe:2.3:a:xwiki:xwiki:14.2
-
cpe:2.3:a:xwiki:xwiki:14.2.1
-
cpe:2.3:a:xwiki:xwiki:14.3
-
cpe:2.3:a:xwiki:xwiki:14.3.1
-
cpe:2.3:a:xwiki:xwiki:14.4
-
cpe:2.3:a:xwiki:xwiki:14.4.3
-
cpe:2.3:a:xwiki:xwiki:14.4.4
-
cpe:2.3:a:xwiki:xwiki:14.4.5
-
cpe:2.3:a:xwiki:xwiki:14.4.6
-
cpe:2.3:a:xwiki:xwiki:14.5
-
cpe:2.3:a:xwiki:xwiki:14.5.0
-
cpe:2.3:a:xwiki:xwiki:14.6
-
cpe:2.3:a:xwiki:xwiki:14.7
-
cpe:2.3:a:xwiki:xwiki:14.9