CVE-2023-26473
published 2023-03-02CVE-2023-26473: XWiki Platform is a generic wiki platform. Starting in version 1.3-rc-1, any user with edit right can execute arbitrary database select and access data stored…
PriorityP339medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.64%
46.0th percentile
XWiki Platform is a generic wiki platform. Starting in version 1.3-rc-1, any user with edit right can execute arbitrary database select and access data stored in the database. The problem has been patched in XWiki 13.10.11, 14.4.7, and 14.10. There is no workaround for this vulnerability other than upgrading.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | — | — |
| xwiki | xwiki | >= 1.3 < 13.10.11 | 13.10.11 |
| xwiki | xwiki | >= 14.0 < 14.4.7 | 14.4.7 |
| xwiki | xwiki | >= 14.5 < 14.10 | 14.10 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Unprivileged XWiki Platform users can make arbitrary select queries using DatabaseListProperty and suggest.vm
ghsa·2023-03-03
CVE-2023-26473 [MEDIUM] CWE-284 Unprivileged XWiki Platform users can make arbitrary select queries using DatabaseListProperty and suggest.vm
Unprivileged XWiki Platform users can make arbitrary select queries using DatabaseListProperty and suggest.vm
### Impact
Any user with edit right can execute arbitrary database select and access data stored in the database.
To reproduce:
* In admin, rights, remove scripting rights for {{XWikiAllGroup}}.
* Create a new user without any special privileges.
* Create a page "Private.WebHome" with {{TOKEN_42}} as content. Go to "page administration" and explicitly set all rights for "Admin" to remove them for all other users.
* Logout and login as the unprivileged user. Ensure that the previously created page cannot be viewed.
* Create a new page "ExploitClass.WebHome" and then open it in the class editor (first, make the user an advanced user).
* Add a field named {{ContentList}} of type {{
OSV
Unprivileged XWiki Platform users can make arbitrary select queries using DatabaseListProperty and suggest.vm
osv·2023-03-03
CVE-2023-26473 [MEDIUM] Unprivileged XWiki Platform users can make arbitrary select queries using DatabaseListProperty and suggest.vm
Unprivileged XWiki Platform users can make arbitrary select queries using DatabaseListProperty and suggest.vm
### Impact
Any user with edit right can execute arbitrary database select and access data stored in the database.
To reproduce:
* In admin, rights, remove scripting rights for {{XWikiAllGroup}}.
* Create a new user without any special privileges.
* Create a page "Private.WebHome" with {{TOKEN_42}} as content. Go to "page administration" and explicitly set all rights for "Admin" to remove them for all other users.
* Logout and login as the unprivileged user. Ensure that the previously created page cannot be viewed.
* Create a new page "ExploitClass.WebHome" and then open it in the class editor (first, make the user an advanced user).
* Add a field named {{ContentList}} of type {{
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-03-02
Published