Vulnerability Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make the farm unusable by adding an object to a page with a huge number (e.g. 67108863). Most of the time this will fill the memory allocated to XWiki and make it unusable every time this document is manipulated. This issue has been patched in XWiki 14.0-rc-1.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xwiki | Xwiki | < 14.0 |
Related Weaknesses (CWE)
References
- https://github.com/xwiki/xwiki-platform/commit/04e5a89d2879b160cdfaea846024d3d9cPatch
- https://github.com/xwiki/xwiki-platform/commit/db3d1c62fc5fb59fefcda3b86065d2d36Patch
- https://github.com/xwiki/xwiki-platform/commit/fdfce062642b0ac062da5cda033d25482Patch
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-92wp-r7hm-42g7ExploitVendor Advisory
- https://jira.xwiki.org/browse/XWIKI-19223ExploitIssue TrackingPatch
- https://github.com/xwiki/xwiki-platform/commit/04e5a89d2879b160cdfaea846024d3d9cPatch
- https://github.com/xwiki/xwiki-platform/commit/db3d1c62fc5fb59fefcda3b86065d2d36Patch
- https://github.com/xwiki/xwiki-platform/commit/fdfce062642b0ac062da5cda033d25482Patch
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-92wp-r7hm-42g7ExploitVendor Advisory
- https://jira.xwiki.org/browse/XWIKI-19223ExploitIssue TrackingPatch
FAQ
What is CVE-2023-26470?
CVE-2023-26470 is a vulnerability with a CVSS score of 5.7 (MEDIUM). XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make the farm unusable by adding an object to a page with a huge number (e.g. ...
How severe is CVE-2023-26470?
CVE-2023-26470 has been rated MEDIUM with a CVSS base score of 5.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-26470?
Check the references section above for vendor advisories and patch information. Affected products include: Xwiki Xwiki.