Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1yZjhqLXEzOWctN3hmbc4AAz9r

XWiki Platform vulnerable to privilege escalation (PR) from account through like LiveTableResults

Any logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation.

The vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1.

The vulnerability can be fixed by applying this patch.

On versions before 13.4-rc-1, the fix needs to be applied on XWiki.Like.Code.LiveTableResultPage.

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-rf8j-q39g-7xfm
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yZjhqLXEzOWctN3hmbc4AAz9r
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 11 months ago
Updated: 6 months ago

CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Identifiers: GHSA-rf8j-q39g-7xfm, CVE-2023-35152
References:

Repository: https://github.com/xwiki/xwiki-platform
Blast Radius: 1.0

Affected Version Ranges: >= 15.0-rc-1, < 15.1, >= 14.5, < 14.10.6, >= 12.9-rc-1, < 14.4.8
Fixed in: 15.1, 14.10.6, 14.4.8