cbcvebase.
CVE-2023-32071
published 2023-05-09

CVE-2023-32071: XWiki Platform is a generic wiki platform. Starting in versions 2.2-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, it's possible to execute…

PriorityP270critical9CVSS 3.1
AVNACLPRLUIRSCCHIHAH
EPSS
71.14%
99.3th percentile
XWiki Platform is a generic wiki platform. Starting in versions 2.2-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, it's possible to execute javascript with the right of any user by leading him to a special URL on the wiki targeting a page which contains an attachment. This has been patched in XWiki 15.0-rc-1, 14.10.4, and 14.4.8. The easiest possible workaround is to edit file `/templates/importinline.vm` and apply the modification described in commit 28905f7f518cc6f21ea61fe37e9e1ed97ef36f01.

Affected

5 ranges
VendorProductVersion rangeFixed in
xwikixwiki
xwikixwiki>= 14.5.0 < 14.10.414.10.4
xwikixwiki>= 2.3 < 14.4.814.4.8
xwikixwiki-platform
xwikixwiki-platform
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.