CVE-2023-30537
CVSS V2 None
CVSS V3 None
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with the right to add an object on a page can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the styles properties `FlamingoThemesCode.WebHome`. This page is installed by default. The vulnerability has been patched in XWiki versions 13.10.11, 14.4.7 and 14.10.
Overview
- CVE ID
- CVE-2023-30537
- Assigner
- security-advisories@github.com
- Vulnerability Status
- Analyzed
- Published Version
- 2023-04-16T08:15:07
- Last Modified Date
- 2023-04-26T20:07:04
Weakness Enumerations
CPE Configuration (Product)
CPE | Vulnerable | Operator | Version Start | Version End |
---|---|---|---|---|
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* | 1 | OR | 12.6.6 | 13.10.11 |
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* | 1 | OR | 14.0 | 14.4.7 |
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* | 1 | OR | 14.5 | 14.10 |
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2023-30537 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30537 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2023-04-17 04:49:20 | Added to TrackCVE | |||
2023-04-17 04:49:22 | Weakness Enumeration | new | ||
2023-04-17 14:01:59 | 2023-04-17T13:12:43 | CVE Modified Date | updated | |
2023-04-17 14:01:59 | Received | Awaiting Analysis | Vulnerability Status | updated |
2023-04-21 16:00:56 | Awaiting Analysis | Undergoing Analysis | Vulnerability Status | updated |
2023-04-26 21:00:51 | 2023-04-26T20:07:04 | CVE Modified Date | updated | |
2023-04-26 21:00:51 | Undergoing Analysis | Analyzed | Vulnerability Status | updated |
2023-04-26 21:00:58 | Weakness Enumeration | update | ||
2023-04-26 21:01:01 | CPE Information | updated |