cbcvebase.
CVE-2023-26477
published 2023-03-02

CVE-2023-26477: XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and…

PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
74.76%
99.4th percentile
XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the `newThemeName` request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit `FlamingoThemesCode.WebHomeSheet` and manually perform the changes from the patch fixing the issue.

Affected

6 ranges
VendorProductVersion rangeFixed in
xwikixwiki>= 14.0 < 14.4.614.4.6
xwikixwiki>= 14.5 < 14.914.9
xwikixwiki>= 6.2.4 < 13.10.1013.10.10
xwikixwiki-platform
xwikixwiki-platform
xwikixwiki-platform
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.