Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A registered user can perform remote code execution leading to privilege escalation by injecting the proper code in the "property" field of an attachment selector, as a gadget of their own dashboard. Note that the vulnerability does not impact comments of a wiki. The vulnerability has been patched in XWiki 13.10.11, 14.4.8, 14.10.2, 15.0-rc-1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Remediation

References

CVE-2023-29519

Related Vulnerabilities

CrushFTP Server URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2018-18288)

Envoy Proxy Improper Certificate Validation Vulnerability (CVE-2022-21656)

WordPress Plugin WP Server Health Stats Cross-Site Scripting (1.6.10)

Liferay Portal Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-29044)

ownCloud Improper Access Control Vulnerability (CVE-2016-9461)

Severity

High

Classification

CVE-2023-29519 CWE-138 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities