Description

XWiki Platform suffers from an injection flaw in the SkinsCode.XWikiSkinsSheet, allowing attackers with view access to execute arbitrary code including Groovy and Python macros.

Remediation

Upgrade to XWiki versions 14.4.8, 14.10.4, 15.0-rc-1 pr higher to resolve this vulnerability.

References

XWiki Security Advisory

Related Vulnerabilities

Oracle Application Server Other Vulnerability (CVE-2002-1630)

WebLogic CVE-2018-3191 Vulnerability (CVE-2018-3191)

PrestaShop Incorrect Authorization Vulnerability (CVE-2020-5279)

Atlassian Confluence Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2017-18086)

MyBB Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2021-27947)

Severity

High

Classification

CVE-2023-37462 CWE-74 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Remote Code Execution Known Vulnerabilities