Description

XWiki Platform suffers from an injection flaw in the SkinsCode.XWikiSkinsSheet, allowing attackers with view access to execute arbitrary code including Groovy and Python macros.

Remediation

Upgrade to XWiki versions 14.4.8, 14.10.4, 15.0-rc-1 pr higher to resolve this vulnerability.

References

XWiki Security Advisory

Related Vulnerabilities

Jboss EAP Permissions, Privileges, and Access Controls Vulnerability (CVE-2012-5629)

Sqlite Other Vulnerability (CVE-2019-19959)

Joomla Other Vulnerability (CVE-2006-7008)

Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-1834)

qdPM Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2020-11811)

Severity

High

Classification

CVE-2023-37462 CWE-74 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Remote Code Execution Known Vulnerabilities