Vulnerability Details CVE-2023-37912
XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another syntax. Prior to version 14.10.6 of `org.xwiki.platform:xwiki-core-rendering-macro-footnotes` and `org.xwiki.platform:xwiki-rendering-macro-footnotes` and prior to version 15.1-rc-1 of `org.xwiki.platform:xwiki-rendering-macro-footnotes`, the footnote macro executed its content in a potentially different context than the one in which it was defined. In particular in combination with the include macro, this allows privilege escalation from a simple user account in XWiki to programming rights and thus remote code execution, impacting the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.6 and 15.1-rc-1. There is no workaround apart from upgrading to a fixed version of the footnote macro.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.099
EPSS Ranking 92.7%
CVSS Severity
CVSS v3 Score 9.9
References
- https://github.com/xwiki/xwiki-rendering/commit/5f558b8fac8b716d19999225f38cb8ed0814116e
- https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-35j5-m29r-xfq5
- https://jira.xwiki.org/browse/XRENDERING-688
- https://github.com/xwiki/xwiki-rendering/commit/5f558b8fac8b716d19999225f38cb8ed0814116e
- https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-35j5-m29r-xfq5
- https://jira.xwiki.org/browse/XRENDERING-688
Products affected by CVE-2023-37912
-
cpe:2.3:a:xwiki:xwiki-rendering:10.0
-
cpe:2.3:a:xwiki:xwiki-rendering:10.1
-
cpe:2.3:a:xwiki:xwiki-rendering:10.10
-
cpe:2.3:a:xwiki:xwiki-rendering:10.11
-
cpe:2.3:a:xwiki:xwiki-rendering:10.11.1
-
cpe:2.3:a:xwiki:xwiki-rendering:10.11.10
-
cpe:2.3:a:xwiki:xwiki-rendering:10.11.11
-
cpe:2.3:a:xwiki:xwiki-rendering:10.11.2
-
cpe:2.3:a:xwiki:xwiki-rendering:10.11.3
-
cpe:2.3:a:xwiki:xwiki-rendering:10.11.4
-
cpe:2.3:a:xwiki:xwiki-rendering:10.11.5
-
cpe:2.3:a:xwiki:xwiki-rendering:10.11.6
-
cpe:2.3:a:xwiki:xwiki-rendering:10.11.7
-
cpe:2.3:a:xwiki:xwiki-rendering:10.11.8
-
cpe:2.3:a:xwiki:xwiki-rendering:10.11.9
-
cpe:2.3:a:xwiki:xwiki-rendering:10.2
-
cpe:2.3:a:xwiki:xwiki-rendering:10.3
-
cpe:2.3:a:xwiki:xwiki-rendering:10.4
-
cpe:2.3:a:xwiki:xwiki-rendering:10.5
-
cpe:2.3:a:xwiki:xwiki-rendering:10.6
-
cpe:2.3:a:xwiki:xwiki-rendering:10.6.1
-
cpe:2.3:a:xwiki:xwiki-rendering:10.7
-
cpe:2.3:a:xwiki:xwiki-rendering:10.7.1
-
cpe:2.3:a:xwiki:xwiki-rendering:10.8
-
cpe:2.3:a:xwiki:xwiki-rendering:10.8.1
-
cpe:2.3:a:xwiki:xwiki-rendering:10.8.2
-
cpe:2.3:a:xwiki:xwiki-rendering:10.8.3
-
cpe:2.3:a:xwiki:xwiki-rendering:10.9
-
cpe:2.3:a:xwiki:xwiki-rendering:11.0
-
cpe:2.3:a:xwiki:xwiki-rendering:11.0.1
-
cpe:2.3:a:xwiki:xwiki-rendering:11.0.2
-
cpe:2.3:a:xwiki:xwiki-rendering:11.0.3
-
cpe:2.3:a:xwiki:xwiki-rendering:11.1
-
cpe:2.3:a:xwiki:xwiki-rendering:11.10
-
cpe:2.3:a:xwiki:xwiki-rendering:11.10.1
-
cpe:2.3:a:xwiki:xwiki-rendering:11.10.10
-
cpe:2.3:a:xwiki:xwiki-rendering:11.10.11
-
cpe:2.3:a:xwiki:xwiki-rendering:11.10.12
-
cpe:2.3:a:xwiki:xwiki-rendering:11.10.13
-
cpe:2.3:a:xwiki:xwiki-rendering:11.10.2
-
cpe:2.3:a:xwiki:xwiki-rendering:11.10.3
-
cpe:2.3:a:xwiki:xwiki-rendering:11.10.4
-
cpe:2.3:a:xwiki:xwiki-rendering:11.10.5
-
cpe:2.3:a:xwiki:xwiki-rendering:11.10.6
-
cpe:2.3:a:xwiki:xwiki-rendering:11.10.7
-
cpe:2.3:a:xwiki:xwiki-rendering:11.10.8
-
cpe:2.3:a:xwiki:xwiki-rendering:11.2
-
cpe:2.3:a:xwiki:xwiki-rendering:11.3
-
cpe:2.3:a:xwiki:xwiki-rendering:11.3.1
-
cpe:2.3:a:xwiki:xwiki-rendering:11.3.2
-
cpe:2.3:a:xwiki:xwiki-rendering:11.3.3
-
cpe:2.3:a:xwiki:xwiki-rendering:11.3.4
-
cpe:2.3:a:xwiki:xwiki-rendering:11.3.5
-
cpe:2.3:a:xwiki:xwiki-rendering:11.3.6
-
cpe:2.3:a:xwiki:xwiki-rendering:11.3.7
-
cpe:2.3:a:xwiki:xwiki-rendering:11.4
-
cpe:2.3:a:xwiki:xwiki-rendering:11.5
-
cpe:2.3:a:xwiki:xwiki-rendering:11.6
-
cpe:2.3:a:xwiki:xwiki-rendering:11.6.1
-
cpe:2.3:a:xwiki:xwiki-rendering:11.7
-
cpe:2.3:a:xwiki:xwiki-rendering:11.8
-
cpe:2.3:a:xwiki:xwiki-rendering:11.8.1
-
cpe:2.3:a:xwiki:xwiki-rendering:11.9
-
cpe:2.3:a:xwiki:xwiki-rendering:12.0
-
cpe:2.3:a:xwiki:xwiki-rendering:12.1
-
cpe:2.3:a:xwiki:xwiki-rendering:12.10
-
cpe:2.3:a:xwiki:xwiki-rendering:12.10.1
-
cpe:2.3:a:xwiki:xwiki-rendering:12.10.10
-
cpe:2.3:a:xwiki:xwiki-rendering:12.10.11
-
cpe:2.3:a:xwiki:xwiki-rendering:12.10.2
-
cpe:2.3:a:xwiki:xwiki-rendering:12.10.3
-
cpe:2.3:a:xwiki:xwiki-rendering:12.10.4
-
cpe:2.3:a:xwiki:xwiki-rendering:12.10.5
-
cpe:2.3:a:xwiki:xwiki-rendering:12.10.6
-
cpe:2.3:a:xwiki:xwiki-rendering:12.10.7
-
cpe:2.3:a:xwiki:xwiki-rendering:12.10.8
-
cpe:2.3:a:xwiki:xwiki-rendering:12.10.9
-
cpe:2.3:a:xwiki:xwiki-rendering:12.2
-
cpe:2.3:a:xwiki:xwiki-rendering:12.2.1
-
cpe:2.3:a:xwiki:xwiki-rendering:12.3
-
cpe:2.3:a:xwiki:xwiki-rendering:12.4
-
cpe:2.3:a:xwiki:xwiki-rendering:12.5
-
cpe:2.3:a:xwiki:xwiki-rendering:12.5.1
-
cpe:2.3:a:xwiki:xwiki-rendering:12.6
-
cpe:2.3:a:xwiki:xwiki-rendering:12.6.1
-
cpe:2.3:a:xwiki:xwiki-rendering:12.6.2
-
cpe:2.3:a:xwiki:xwiki-rendering:12.6.3
-
cpe:2.3:a:xwiki:xwiki-rendering:12.6.4
-
cpe:2.3:a:xwiki:xwiki-rendering:12.6.5
-
cpe:2.3:a:xwiki:xwiki-rendering:12.6.6
-
cpe:2.3:a:xwiki:xwiki-rendering:12.6.7
-
cpe:2.3:a:xwiki:xwiki-rendering:12.6.8
-
cpe:2.3:a:xwiki:xwiki-rendering:12.7
-
cpe:2.3:a:xwiki:xwiki-rendering:12.7.1
-
cpe:2.3:a:xwiki:xwiki-rendering:12.8
-
cpe:2.3:a:xwiki:xwiki-rendering:12.9
-
cpe:2.3:a:xwiki:xwiki-rendering:13.0
-
cpe:2.3:a:xwiki:xwiki-rendering:13.1
-
cpe:2.3:a:xwiki:xwiki-rendering:13.10
-
cpe:2.3:a:xwiki:xwiki-rendering:13.10.1
-
cpe:2.3:a:xwiki:xwiki-rendering:13.10.10
-
cpe:2.3:a:xwiki:xwiki-rendering:13.10.11
-
cpe:2.3:a:xwiki:xwiki-rendering:13.10.2
-
cpe:2.3:a:xwiki:xwiki-rendering:13.10.3
-
cpe:2.3:a:xwiki:xwiki-rendering:13.10.4
-
cpe:2.3:a:xwiki:xwiki-rendering:13.10.5
-
cpe:2.3:a:xwiki:xwiki-rendering:13.10.6
-
cpe:2.3:a:xwiki:xwiki-rendering:13.10.7
-
cpe:2.3:a:xwiki:xwiki-rendering:13.10.8
-
cpe:2.3:a:xwiki:xwiki-rendering:13.10.9
-
cpe:2.3:a:xwiki:xwiki-rendering:13.2
-
cpe:2.3:a:xwiki:xwiki-rendering:13.3
-
cpe:2.3:a:xwiki:xwiki-rendering:13.4
-
cpe:2.3:a:xwiki:xwiki-rendering:13.4.1
-
cpe:2.3:a:xwiki:xwiki-rendering:13.4.2
-
cpe:2.3:a:xwiki:xwiki-rendering:13.4.3
-
cpe:2.3:a:xwiki:xwiki-rendering:13.4.4
-
cpe:2.3:a:xwiki:xwiki-rendering:13.4.5
-
cpe:2.3:a:xwiki:xwiki-rendering:13.4.6
-
cpe:2.3:a:xwiki:xwiki-rendering:13.4.7
-
cpe:2.3:a:xwiki:xwiki-rendering:13.5
-
cpe:2.3:a:xwiki:xwiki-rendering:13.6
-
cpe:2.3:a:xwiki:xwiki-rendering:13.7
-
cpe:2.3:a:xwiki:xwiki-rendering:13.8
-
cpe:2.3:a:xwiki:xwiki-rendering:13.9
-
cpe:2.3:a:xwiki:xwiki-rendering:14.0
-
cpe:2.3:a:xwiki:xwiki-rendering:14.1
-
cpe:2.3:a:xwiki:xwiki-rendering:14.10
-
cpe:2.3:a:xwiki:xwiki-rendering:14.10.1
-
cpe:2.3:a:xwiki:xwiki-rendering:14.10.2
-
cpe:2.3:a:xwiki:xwiki-rendering:14.10.3
-
cpe:2.3:a:xwiki:xwiki-rendering:14.10.4
-
cpe:2.3:a:xwiki:xwiki-rendering:14.10.5
-
cpe:2.3:a:xwiki:xwiki-rendering:14.2
-
cpe:2.3:a:xwiki:xwiki-rendering:14.2.1
-
cpe:2.3:a:xwiki:xwiki-rendering:14.3
-
cpe:2.3:a:xwiki:xwiki-rendering:14.3.1
-
cpe:2.3:a:xwiki:xwiki-rendering:14.4
-
cpe:2.3:a:xwiki:xwiki-rendering:14.4.1
-
cpe:2.3:a:xwiki:xwiki-rendering:14.4.2
-
cpe:2.3:a:xwiki:xwiki-rendering:14.4.3
-
cpe:2.3:a:xwiki:xwiki-rendering:14.4.4
-
cpe:2.3:a:xwiki:xwiki-rendering:14.4.5
-
cpe:2.3:a:xwiki:xwiki-rendering:14.4.6
-
cpe:2.3:a:xwiki:xwiki-rendering:14.4.7
-
cpe:2.3:a:xwiki:xwiki-rendering:14.4.8
-
cpe:2.3:a:xwiki:xwiki-rendering:14.5
-
cpe:2.3:a:xwiki:xwiki-rendering:14.6
-
cpe:2.3:a:xwiki:xwiki-rendering:14.7
-
cpe:2.3:a:xwiki:xwiki-rendering:14.8
-
cpe:2.3:a:xwiki:xwiki-rendering:14.9
-
cpe:2.3:a:xwiki:xwiki-rendering:15.0
-
cpe:2.3:a:xwiki:xwiki-rendering:3.0
-
cpe:2.3:a:xwiki:xwiki-rendering:3.0.1
-
cpe:2.3:a:xwiki:xwiki-rendering:3.1
-
cpe:2.3:a:xwiki:xwiki-rendering:3.1.1
-
cpe:2.3:a:xwiki:xwiki-rendering:3.2
-
cpe:2.3:a:xwiki:xwiki-rendering:3.2.1
-
cpe:2.3:a:xwiki:xwiki-rendering:3.3
-
cpe:2.3:a:xwiki:xwiki-rendering:3.3.1
-
cpe:2.3:a:xwiki:xwiki-rendering:3.4
-
cpe:2.3:a:xwiki:xwiki-rendering:3.5
-
cpe:2.3:a:xwiki:xwiki-rendering:3.5.1
-
cpe:2.3:a:xwiki:xwiki-rendering:4.0
-
cpe:2.3:a:xwiki:xwiki-rendering:4.0.1
-
cpe:2.3:a:xwiki:xwiki-rendering:4.1
-
cpe:2.3:a:xwiki:xwiki-rendering:4.1.1
-
cpe:2.3:a:xwiki:xwiki-rendering:4.1.2
-
cpe:2.3:a:xwiki:xwiki-rendering:4.1.3
-
cpe:2.3:a:xwiki:xwiki-rendering:4.1.4
-
cpe:2.3:a:xwiki:xwiki-rendering:4.2
-
cpe:2.3:a:xwiki:xwiki-rendering:4.3
-
cpe:2.3:a:xwiki:xwiki-rendering:4.3.1
-
cpe:2.3:a:xwiki:xwiki-rendering:4.4
-
cpe:2.3:a:xwiki:xwiki-rendering:4.4.1
-
cpe:2.3:a:xwiki:xwiki-rendering:4.5
-
cpe:2.3:a:xwiki:xwiki-rendering:4.5.1
-
cpe:2.3:a:xwiki:xwiki-rendering:4.5.2
-
cpe:2.3:a:xwiki:xwiki-rendering:4.5.3
-
cpe:2.3:a:xwiki:xwiki-rendering:4.5.4
-
cpe:2.3:a:xwiki:xwiki-rendering:5.0
-
cpe:2.3:a:xwiki:xwiki-rendering:5.0.1
-
cpe:2.3:a:xwiki:xwiki-rendering:5.0.2
-
cpe:2.3:a:xwiki:xwiki-rendering:5.0.3
-
cpe:2.3:a:xwiki:xwiki-rendering:5.1
-
cpe:2.3:a:xwiki:xwiki-rendering:5.2
-
cpe:2.3:a:xwiki:xwiki-rendering:5.2.1
-
cpe:2.3:a:xwiki:xwiki-rendering:5.2.2
-
cpe:2.3:a:xwiki:xwiki-rendering:5.2.3
-
cpe:2.3:a:xwiki:xwiki-rendering:5.2.4
-
cpe:2.3:a:xwiki:xwiki-rendering:5.3
-
cpe:2.3:a:xwiki:xwiki-rendering:5.4
-
cpe:2.3:a:xwiki:xwiki-rendering:5.4.1
-
cpe:2.3:a:xwiki:xwiki-rendering:5.4.2
-
cpe:2.3:a:xwiki:xwiki-rendering:5.4.3
-
cpe:2.3:a:xwiki:xwiki-rendering:5.4.4
-
cpe:2.3:a:xwiki:xwiki-rendering:5.4.5
-
cpe:2.3:a:xwiki:xwiki-rendering:5.4.6
-
cpe:2.3:a:xwiki:xwiki-rendering:5.4.7
-
cpe:2.3:a:xwiki:xwiki-rendering:6.0
-
cpe:2.3:a:xwiki:xwiki-rendering:6.0.1
-
cpe:2.3:a:xwiki:xwiki-rendering:6.1
-
cpe:2.3:a:xwiki:xwiki-rendering:6.2
-
cpe:2.3:a:xwiki:xwiki-rendering:6.2.1
-
cpe:2.3:a:xwiki:xwiki-rendering:6.2.2
-
cpe:2.3:a:xwiki:xwiki-rendering:6.2.3
-
cpe:2.3:a:xwiki:xwiki-rendering:6.2.4
-
cpe:2.3:a:xwiki:xwiki-rendering:6.2.5
-
cpe:2.3:a:xwiki:xwiki-rendering:6.2.6
-
cpe:2.3:a:xwiki:xwiki-rendering:6.2.7
-
cpe:2.3:a:xwiki:xwiki-rendering:6.3
-
cpe:2.3:a:xwiki:xwiki-rendering:6.4
-
cpe:2.3:a:xwiki:xwiki-rendering:6.4.1
-
cpe:2.3:a:xwiki:xwiki-rendering:6.4.2
-
cpe:2.3:a:xwiki:xwiki-rendering:6.4.3
-
cpe:2.3:a:xwiki:xwiki-rendering:6.4.4
-
cpe:2.3:a:xwiki:xwiki-rendering:6.4.5
-
cpe:2.3:a:xwiki:xwiki-rendering:6.4.6
-
cpe:2.3:a:xwiki:xwiki-rendering:6.4.7
-
cpe:2.3:a:xwiki:xwiki-rendering:6.4.8
-
cpe:2.3:a:xwiki:xwiki-rendering:7.0
-
cpe:2.3:a:xwiki:xwiki-rendering:7.0.1
-
cpe:2.3:a:xwiki:xwiki-rendering:7.1
-
cpe:2.3:a:xwiki:xwiki-rendering:7.1.1
-
cpe:2.3:a:xwiki:xwiki-rendering:7.1.2
-
cpe:2.3:a:xwiki:xwiki-rendering:7.1.3
-
cpe:2.3:a:xwiki:xwiki-rendering:7.1.4
-
cpe:2.3:a:xwiki:xwiki-rendering:7.2
-
cpe:2.3:a:xwiki:xwiki-rendering:7.3
-
cpe:2.3:a:xwiki:xwiki-rendering:7.4
-
cpe:2.3:a:xwiki:xwiki-rendering:7.4.1
-
cpe:2.3:a:xwiki:xwiki-rendering:7.4.2
-
cpe:2.3:a:xwiki:xwiki-rendering:7.4.3
-
cpe:2.3:a:xwiki:xwiki-rendering:7.4.4
-
cpe:2.3:a:xwiki:xwiki-rendering:7.4.5
-
cpe:2.3:a:xwiki:xwiki-rendering:7.4.6
-
cpe:2.3:a:xwiki:xwiki-rendering:8.0
-
cpe:2.3:a:xwiki:xwiki-rendering:8.1
-
cpe:2.3:a:xwiki:xwiki-rendering:8.2
-
cpe:2.3:a:xwiki:xwiki-rendering:8.2.1
-
cpe:2.3:a:xwiki:xwiki-rendering:8.2.2
-
cpe:2.3:a:xwiki:xwiki-rendering:8.3
-
cpe:2.3:a:xwiki:xwiki-rendering:8.4
-
cpe:2.3:a:xwiki:xwiki-rendering:8.4.1
-
cpe:2.3:a:xwiki:xwiki-rendering:8.4.2
-
cpe:2.3:a:xwiki:xwiki-rendering:8.4.3
-
cpe:2.3:a:xwiki:xwiki-rendering:8.4.4
-
cpe:2.3:a:xwiki:xwiki-rendering:8.4.5
-
cpe:2.3:a:xwiki:xwiki-rendering:8.4.6
-
cpe:2.3:a:xwiki:xwiki-rendering:9.0
-
cpe:2.3:a:xwiki:xwiki-rendering:9.1
-
cpe:2.3:a:xwiki:xwiki-rendering:9.1.1
-
cpe:2.3:a:xwiki:xwiki-rendering:9.1.2
-
cpe:2.3:a:xwiki:xwiki-rendering:9.10
-
cpe:2.3:a:xwiki:xwiki-rendering:9.10.1
-
cpe:2.3:a:xwiki:xwiki-rendering:9.11
-
cpe:2.3:a:xwiki:xwiki-rendering:9.11.1
-
cpe:2.3:a:xwiki:xwiki-rendering:9.11.2
-
cpe:2.3:a:xwiki:xwiki-rendering:9.11.3
-
cpe:2.3:a:xwiki:xwiki-rendering:9.11.4
-
cpe:2.3:a:xwiki:xwiki-rendering:9.11.5
-
cpe:2.3:a:xwiki:xwiki-rendering:9.11.6
-
cpe:2.3:a:xwiki:xwiki-rendering:9.11.7
-
cpe:2.3:a:xwiki:xwiki-rendering:9.11.8
-
cpe:2.3:a:xwiki:xwiki-rendering:9.11.9
-
cpe:2.3:a:xwiki:xwiki-rendering:9.2
-
cpe:2.3:a:xwiki:xwiki-rendering:9.3
-
cpe:2.3:a:xwiki:xwiki-rendering:9.3.1
-
cpe:2.3:a:xwiki:xwiki-rendering:9.4
-
cpe:2.3:a:xwiki:xwiki-rendering:9.5
-
cpe:2.3:a:xwiki:xwiki-rendering:9.5.1
-
cpe:2.3:a:xwiki:xwiki-rendering:9.6
-
cpe:2.3:a:xwiki:xwiki-rendering:9.7
-
cpe:2.3:a:xwiki:xwiki-rendering:9.8
-
cpe:2.3:a:xwiki:xwiki-rendering:9.8.1
-
cpe:2.3:a:xwiki:xwiki-rendering:9.9