Vulnerability Description
XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the IncludedDocuments panel. The problem has been patched on XWiki 14.4.7, and 14.10.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xwiki | Xwiki | < 13.10.11 |
Related Weaknesses (CWE)
References
- https://github.com/xwiki/xwiki-platform/commit/50b4d91418b4150933f0317eb4a94ceafPatch
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qx9h-c5v6-ghqhExploitPatchVendor Advisory
- https://jira.xwiki.org/browse/XWIKI-20306ExploitIssue Tracking
- https://github.com/xwiki/xwiki-platform/commit/50b4d91418b4150933f0317eb4a94ceafPatch
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qx9h-c5v6-ghqhExploitPatchVendor Advisory
- https://jira.xwiki.org/browse/XWIKI-20306ExploitIssue Tracking
FAQ
What is CVE-2023-29214?
CVE-2023-29214 is a vulnerability with a CVSS score of 9.9 (CRITICAL). XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access ...
How severe is CVE-2023-29214?
CVE-2023-29214 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-29214?
Check the references section above for vendor advisories and patch information. Affected products include: Xwiki Xwiki.