cbcvebase.
CVE-2023-30537
published 2023-04-16

CVE-2023-30537: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with the right to add an object on a page can…

PriorityP354high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.04%
59.6th percentile
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with the right to add an object on a page can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the styles properties `FlamingoThemesCode.WebHome`. This page is installed by default. The vulnerability has been patched in XWiki versions 13.10.11, 14.4.7 and 14.10.

Affected

6 ranges
VendorProductVersion rangeFixed in
xwikixwiki>= 12.6.6 < 13.10.1113.10.11
xwikixwiki>= 14.0 < 14.4.714.4.7
xwikixwiki>= 14.5 < 14.1014.10
xwikixwiki-platform
xwikixwiki-platform
xwikixwiki-platform
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.