An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1neDRmLTk3NmctN2c2ds4AAyAD

XWiki Platform vulnerable to data leak via Improper Restriction of XML External Entity Reference


Any user with edit rights on a document can trigger a XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host.

Example to reproduce:

You'll then notice that the displayed UI contains the content of the /etc/passwd file.


The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1.


You'd need to get XWiki Platform sources and apply the changes from to the XarPackage java class and then copy the modified version to your WEB-INF/classes directory (or rebuild the xwiki-platform-xar-model maven module and replace the one found in WEB-INF/lib/).


For more information

If you have any questions or comments about this advisory:

Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 year ago

CVSS Score: 7.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Identifiers: GHSA-gx4f-976g-7g6v, CVE-2023-27480
References: Repository:
Blast Radius: 1.0

Affected Packages

Affected Version Ranges: >= 14.5, < 14.10-rc-1, >= 14.0, < 14.4.7, >= 1.1-milestone-3, < 13.10.11
Fixed in: 14.10-rc-1, 14.4.7, 13.10.11