Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with the right to add an object on a page can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the styles properties `FlamingoThemesCode.WebHome`. This page is installed by default. The vulnerability has been patched in XWiki versions 13.10.11, 14.4.7 and 14.10.

Remediation

References

CVE-2023-30537

Related Vulnerabilities

Nginx CVE-2011-4963 Vulnerability (CVE-2011-4963)

Jetty Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2009-5045)

MySQL CVE-2014-6464 Vulnerability (CVE-2014-6464)

Django CVE-2024-24680 Vulnerability (CVE-2024-24680)

WordPress Plugin WP Statistics Cross-Site Scripting (12.0.5)

Severity

High

Classification

CVE-2023-30537 CWE-94 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities