Vulnerability Description
XWiki Commons are technical libraries common to several other top level XWiki projects. It is possible to bypass the existing security measures put in place to avoid open redirect by using a redirect such as `//mydomain.com` (i.e. omitting the `http:`). It was also possible to bypass it when using URL such as `http:/mydomain.com`. The problem has been patched on XWiki 13.10.10, 14.4.4 and 14.8RC1.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xwiki | Xwiki | >= 6.0, < 13.10.10 |
Related Weaknesses (CWE)
References
- https://github.com/xwiki/xwiki-platform/commit/e4f7f68e93cb08c25632c126356d218abPatch
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xwph-x6xj-wggvExploitPatchVendor Advisory
- https://jira.xwiki.org/browse/XWIKI-10309ExploitIssue Tracking
- https://jira.xwiki.org/browse/XWIKI-19994ExploitIssue Tracking
- https://github.com/xwiki/xwiki-platform/commit/e4f7f68e93cb08c25632c126356d218abPatch
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xwph-x6xj-wggvExploitPatchVendor Advisory
- https://jira.xwiki.org/browse/XWIKI-10309ExploitIssue Tracking
- https://jira.xwiki.org/browse/XWIKI-19994ExploitIssue Tracking
FAQ
What is CVE-2023-29204?
CVE-2023-29204 is a vulnerability with a CVSS score of 4.7 (MEDIUM). XWiki Commons are technical libraries common to several other top level XWiki projects. It is possible to bypass the existing security measures put in place to avoid open redirect by using a redirect ...
How severe is CVE-2023-29204?
CVE-2023-29204 has been rated MEDIUM with a CVSS base score of 4.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-29204?
Check the references section above for vendor advisories and patch information. Affected products include: Xwiki Xwiki.