Vulnerability Description
XWiki Commons are technical libraries common to several other top level XWiki projects. Starting in version 3.1-milestone-1, any user can edit their own profile and inject code, which is going to be executed with programming right. The same vulnerability can also be exploited in all other places where short text properties are displayed, e.g., in apps created using Apps Within Minutes that use a short text field. The problem has been patched on versions 13.10.9, 14.4.4, 14.7RC1.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xwiki | Commons | >= 3.2, < 13.10.9 |
Related Weaknesses (CWE)
References
- https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-8cw6-4r32-6r3hExploitVendor Advisory
- https://jira.xwiki.org/browse/XCOMMONS-2498Issue TrackingPatchVendor Advisory
- https://jira.xwiki.org/browse/XWIKI-19793ExploitIssue TrackingPatch
- https://jira.xwiki.org/browse/XWIKI-19794ExploitIssue TrackingPatch
- https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-8cw6-4r32-6r3hExploitVendor Advisory
- https://jira.xwiki.org/browse/XCOMMONS-2498Issue TrackingPatchVendor Advisory
- https://jira.xwiki.org/browse/XWIKI-19793ExploitIssue TrackingPatch
- https://jira.xwiki.org/browse/XWIKI-19794ExploitIssue TrackingPatch
FAQ
What is CVE-2023-26055?
CVE-2023-26055 is a vulnerability with a CVSS score of 9.9 (CRITICAL). XWiki Commons are technical libraries common to several other top level XWiki projects. Starting in version 3.1-milestone-1, any user can edit their own profile and inject code, which is going to be e...
How severe is CVE-2023-26055?
CVE-2023-26055 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-26055?
Check the references section above for vendor advisories and patch information. Affected products include: Xwiki Commons.