Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qZ3JnLXF2cHAtOXZ3cs4AAy59
XWiki Platform vulnerable to code injection from account through AWM view sheet
Impact
Steps to reproduce:
- As a user without script or programming right, edit your user profile (or any other document) with the wiki editor and add the content
{{groovy}}println("Hello " + "from Groovy!"){{/groovy}} - Edit the document with the object editor and add an object of type AppWithinMinutes.LiveTableClass (no values need to be set, just save)
- View the document
Patches
The vulnerability has been patched in XWiki 15.0-rc-1 and 14.10.3.
Workarounds
There is no known workaround.
References
https://jira.xwiki.org/browse/XWIKI-20423
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qZ3JnLXF2cHAtOXZ3cs4AAy59
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Percentage: 0.00139
EPSS Percentile: 0.49987
Identifiers: GHSA-jgrg-qvpp-9vwr, CVE-2023-29527
References:
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jgrg-qvpp-9vwr
- https://nvd.nist.gov/vuln/detail/CVE-2023-29527
- https://jira.xwiki.org/browse/XWIKI-20423
- https://github.com/advisories/GHSA-jgrg-qvpp-9vwr
Blast Radius: 1.0
Affected Packages
maven:org.xwiki.platform:xwiki-platform-appwithinminutes-ui
Affected Version Ranges: >= 7.4.4, < 14.10.3Fixed in: 14.10.3