CVE-2023-29510
published 2023-04-19CVE-2023-29510: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In XWiki, every user can add translations that are…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.86%
76.6th percentile
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged contexts without any escaping which allows remote code execution for any user who has edit access on at least one document which could be the user's own profile where edit access is enabled by default. A mitigation for this vulnerability is part of XWiki 14.10.2 and XWiki 15.0 RC1: translations with user scope now require script right. This means that regular users cannot exploit this anymore as users don't have script right by default anymore starting with XWiki 14.10. There are no known workarounds apart from upgrading to a patched versions.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| artifex | ghostscript | >= 0 < 9.50~dfsg-5ubuntu4.12 | 9.50~dfsg-5ubuntu4.12 |
| artifex | ghostscript | >= 0 < 9.55.0~dfsg1-0ubuntu5.7 | 9.55.0~dfsg1-0ubuntu5.7 |
| artifex | ghostscript | >= 0 < 10.02.1~dfsg1-0ubuntu7.1 | 10.02.1~dfsg1-0ubuntu7.1 |
| xwiki | xwiki | < 14.10.2 | 14.10.2 |
| xwiki | xwiki-platform | < 14.10.2 | 14.10.2 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ghostscript vulnerabilities
osv·2024-06-17·CVSS 5.5
CVE-2023-52722 ghostscript vulnerabilities
ghostscript vulnerabilities
It was discovered that Ghostscript did not properly restrict eexec
seeds to those specified by the Type 1 Font Format standard when
SAFER mode is used. An attacker could use this issue to bypass SAFER
restrictions and cause unspecified impact. (CVE-2023-52722)
This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.10.
Thomas Rinsma discovered that Ghostscript did not prevent changes to
uniprint device argument strings after SAFER is activated, resulting
in a format-string vulnerability. An attacker could possibly use this
to execute arbitrary code. (CVE-2024-29510)
Zdenek Hutyra discovered that Ghostscript did not properly perform
path reduction when validating paths. An attacker could use this to
access file locations outside of those all
GHSA
Code injection via unescaped translations in xwiki-platform
ghsa·2023-04-19
CVE-2023-29510 [CRITICAL] CWE-74 Code injection via unescaped translations in xwiki-platform
Code injection via unescaped translations in xwiki-platform
### Impact
In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged contexts without any escaping which allows remote code execution for any user who has edit access on at least one document which could be the user's own profile where edit access is enabled by default.
The following describes a proof of concept exploit to demonstrate this vulnerability:
1. Edit the user profile with the wiki editor and set the content to
```
error={{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("hello from groovy!"){{/groovy}}{{/async}}
```
2. Use the object editor to add an o
OSV
Code injection via unescaped translations in xwiki-platform
osv·2023-04-19
CVE-2023-29510 [CRITICAL] Code injection via unescaped translations in xwiki-platform
Code injection via unescaped translations in xwiki-platform
### Impact
In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged contexts without any escaping which allows remote code execution for any user who has edit access on at least one document which could be the user's own profile where edit access is enabled by default.
The following describes a proof of concept exploit to demonstrate this vulnerability:
1. Edit the user profile with the wiki editor and set the content to
```
error={{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("hello from groovy!"){{/groovy}}{{/async}}
```
2. Use the object editor to add an o
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmwhttps://jira.xwiki.org/browse/XWIKI-19749https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmwhttps://jira.xwiki.org/browse/XWIKI-19749
2023-04-19
Published