1. Home
  2. CVE Database
  3. CVE-2023-45138
CRITICAL · 10.0

CVE-2023-45138

Change Request is an pplication allowing users to request changes on a wiki without publishing the changes directly. Starting in version 0.11 and prior to version 1.9.2, it's possible for a user witho...

Vulnerability Description

Change Request is an pplication allowing users to request changes on a wiki without publishing the changes directly. Starting in version 0.11 and prior to version 1.9.2, it's possible for a user without any specific right to perform script injection and remote code execution just by inserting an appropriate title when creating a new Change Request. This vulnerability is particularly critical as Change Request aims at being created by user without any particular rights. The vulnerability has been fixed in Change Request 1.9.2. It's possible to workaround the issue without upgrading by editing the document `ChangeRequest.Code.ChangeRequestSheet` and by performing the same change as in the fix commit.

CVSS Score

10.0

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
XwikiChange Request>= 0.11, < 1.9.2

Related Weaknesses (CWE)

CWE-79

References

FAQ

What is CVE-2023-45138?

CVE-2023-45138 is a vulnerability with a CVSS score of 10.0 (CRITICAL). Change Request is an pplication allowing users to request changes on a wiki without publishing the changes directly. Starting in version 0.11 and prior to version 1.9.2, it's possible for a user witho...

How severe is CVE-2023-45138?

CVE-2023-45138 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2023-45138?

Check the references section above for vendor advisories and patch information. Affected products include: Xwiki Change Request.