← Retour aux CVEs

CVE-2023-26471

CRITICAL

9.9

Description

XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode (anything dangerous is disabled), but the async macro does not take into account the restricted mode. This means that any user with comment right can use the async macro to make it execute any wiki content with the right of superadmin. This has been patched in XWiki 14.9, 14.4.6, and 13.10.10. The only known workaround consists of applying a patch and rebuilding and redeploying `org.xwiki.platform:xwiki-platform-rendering-async-macro`.

Details CVE

Score CVSS v3.19.9

SeveriteCRITICAL

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisLOW

Interaction utilisateurNONE

Publie3/2/2023

Derniere modification11/21/2024

Sourcenvd

Observations honeypot0

Produits affectes

xwiki:xwiki

Faiblesses (CWE)

CWE-284

References

https://github.com/xwiki/xwiki-platform/commit/00532d9f1404287cf3ec3a05056640d809516006(security-advisories@github.com)

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9cqm-5wf7-wcj7(security-advisories@github.com)

https://jira.xwiki.org/browse/XWIKI-20234(security-advisories@github.com)

https://github.com/xwiki/xwiki-platform/commit/00532d9f1404287cf3ec3a05056640d809516006(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9cqm-5wf7-wcj7(af854a3a-2127-422b-91ae-364da2661108)

https://jira.xwiki.org/browse/XWIKI-20234(af854a3a-2127-422b-91ae-364da2661108)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.