CVE-2023-26477

CVSS V2 None CVSS V3 None
Description
XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the `newThemeName` request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit `FlamingoThemesCode.WebHomeSheet` and manually perform the changes from the patch fixing the issue.
Overview
  • CVE ID
  • CVE-2023-26477
  • Assigner
  • security-advisories@github.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2023-03-02T18:15:10
  • Last Modified Date
  • 2023-03-10T05:00:53
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* 1 OR 6.2.4 13.10.10
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* 1 OR 14.0 14.4.6
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* 1 OR 14.5 14.9
History
Created Old Value New Value Data Type Notes
2023-04-17 05:52:17 Added to TrackCVE
2023-04-17 05:52:19 Weakness Enumeration new