CVE-2023-32069
published 2023-05-09CVE-2023-32069: XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-2 and prior to versions 14.10.4 and 15.0-rc-1, it's possible for a user to execute…
PriorityP350high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.78%
51.3th percentile
XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-2 and prior to versions 14.10.4 and 15.0-rc-1, it's possible for a user to execute anything with the right of the author of the XWiki.ClassSheet document. This has been patched in XWiki 15.0-rc-1 and 14.10.4. There are no known workarounds.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | — | — |
| xwiki | xwiki | >= 3.4 < 14.10.4 | 14.10.4 |
| xwiki | xwiki-platform | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Privilege escalation (PR)/RCE from account through class sheet
osv·2023-05-11
CVE-2023-32069 [CRITICAL] Privilege escalation (PR)/RCE from account through class sheet
Privilege escalation (PR)/RCE from account through class sheet
### Impact
It's possible for a user to execute anything with the right of the author of the XWiki.ClassSheet document.
**Steps to Reproduce:**
1. Edit your user profile with the object editor and add an object of type `DocumentSheetBinding` with value `Default Class Sheet`
1. Edit your user profile with the wiki editor and add the syntax `{{async}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}}`
1. Click "Save & View"
**Expected result:**
An error is displayed as the user doesn't have the right to execute the Groovy macro.
**Actual result:**
The text "Hello from groovy!" is displayed at the top of the document.
### Patches
This has been patched in XWiki 15.0-rc-1 and 14.10.4.
### Workarounds
There
GHSA
Privilege escalation (PR)/RCE from account through class sheet
ghsa·2023-05-11
CVE-2023-32069 [CRITICAL] CWE-863 Privilege escalation (PR)/RCE from account through class sheet
Privilege escalation (PR)/RCE from account through class sheet
### Impact
It's possible for a user to execute anything with the right of the author of the XWiki.ClassSheet document.
**Steps to Reproduce:**
1. Edit your user profile with the object editor and add an object of type `DocumentSheetBinding` with value `Default Class Sheet`
1. Edit your user profile with the wiki editor and add the syntax `{{async}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}}`
1. Click "Save & View"
**Expected result:**
An error is displayed as the user doesn't have the right to execute the Groovy macro.
**Actual result:**
The text "Hello from groovy!" is displayed at the top of the document.
### Patches
This has been patched in XWiki 15.0-rc-1 and 14.10.4.
### Workarounds
There
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/xwiki/xwiki-platform/commit/de72760d4a3e1e9be64a10660a0c19e9534e2ec4https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-36fm-j33w-c25fhttps://jira.xwiki.org/browse/XWIKI-20566https://github.com/xwiki/xwiki-platform/commit/de72760d4a3e1e9be64a10660a0c19e9534e2ec4https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-36fm-j33w-c25fhttps://jira.xwiki.org/browse/XWIKI-20566
2023-05-09
Published