Vulnerability Description
XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the included documents edit panel. The problem has been patched on XWiki 14.4.7, and 14.10.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xwiki | Xwiki | >= 14.0, < 14.4.7 |
Related Weaknesses (CWE)
References
- https://github.com/xwiki/xwiki-platform/commit/22f249a0eb9f2a64214628217e812a994Patch
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c5f4-p5wv-2475ExploitPatchVendor Advisory
- https://jira.xwiki.org/browse/XWIKI-20293ExploitIssue Tracking
- https://github.com/xwiki/xwiki-platform/commit/22f249a0eb9f2a64214628217e812a994Patch
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c5f4-p5wv-2475ExploitPatchVendor Advisory
- https://jira.xwiki.org/browse/XWIKI-20293ExploitIssue Tracking
FAQ
What is CVE-2023-29212?
CVE-2023-29212 is a vulnerability with a CVSS score of 9.9 (CRITICAL). XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access ...
How severe is CVE-2023-29212?
CVE-2023-29212 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-29212?
Check the references section above for vendor advisories and patch information. Affected products include: Xwiki Xwiki.