CVE-2023-29211
published 2023-04-16CVE-2023-29211: XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights `WikiManager.DeleteWiki` can execute…
PriorityP354high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.19%
64.2th percentile
XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights `WikiManager.DeleteWiki` can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the `wikiId` url parameter. The problem has been patched on XWiki 13.10.11, 14.4.7, and 14.10.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | < 13.10.11 | 13.10.11 |
| xwiki | xwiki | — | — |
| xwiki | xwiki | >= 14.4.0 < 14.4.7 | 14.4.7 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki Eval Injection vulnerability
ghsa·2023-04-12
CVE-2023-29211 [CRITICAL] CWE-94 org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki Eval Injection vulnerability
org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki Eval Injection vulnerability
### Impact
Any user with view rights `WikiManager.DeleteWiki` can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the `wikiId` url parameter.
A proof of concept exploit is to open /xwiki/bin/view/WikiManager/DeleteWiki?wikiId=%22+%2F%7D%7D+%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D where is the URL of your XWiki installation.
### Patches
The problem has been patched on XWiki 13.10.11, 14.4.7, and 14.10.
### Workarounds
The issue can be fixed manually applying this [pat
OSV
org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki Eval Injection vulnerability
osv·2023-04-12
CVE-2023-29211 [CRITICAL] org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki Eval Injection vulnerability
org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki Eval Injection vulnerability
### Impact
Any user with view rights `WikiManager.DeleteWiki` can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the `wikiId` url parameter.
A proof of concept exploit is to open /xwiki/bin/view/WikiManager/DeleteWiki?wikiId=%22+%2F%7D%7D+%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D where is the URL of your XWiki installation.
### Patches
The problem has been patched on XWiki 13.10.11, 14.4.7, and 14.10.
### Workarounds
The issue can be fixed manually applying this [pat
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/xwiki/xwiki-platform/commit/ba4c76265b0b8a5e2218be400d18f08393fe1428#diff-64f39f5f2cc8c6560a44e21a5cfd509ef00e8a2157cd9847c9940a2e08ea43d1R63-R64https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w7v9-fc49-4qg4https://jira.xwiki.org/browse/XWIKI-20297https://github.com/xwiki/xwiki-platform/commit/ba4c76265b0b8a5e2218be400d18f08393fe1428#diff-64f39f5f2cc8c6560a44e21a5cfd509ef00e8a2157cd9847c9940a2e08ea43d1R63-R64https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w7v9-fc49-4qg4https://jira.xwiki.org/browse/XWIKI-20297
2023-04-16
Published