CVE-2023-35152
published 2023-06-23CVE-2023-35152: XWiki Platform is a generic wiki platform. Starting in version 12.9-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.1, any logged in user can add dangerous…
PriorityP350high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.03%
59.3th percentile
XWiki Platform is a generic wiki platform. Starting in version 12.9-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.1, any logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation. The vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1. As a workaround, one may apply the patch manually.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | — | — |
| xwiki | xwiki | — | — |
| xwiki | xwiki | >= 12.9 < 14.4.8 | 14.4.8 |
| xwiki | xwiki | >= 14.10 < 14.10.6 | 14.10.6 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
XWiki Platform vulnerable to privilege escalation (PR) from account through like LiveTableResults
ghsa·2023-06-20
CVE-2023-35152 [CRITICAL] CWE-94 XWiki Platform vulnerable to privilege escalation (PR) from account through like LiveTableResults
XWiki Platform vulnerable to privilege escalation (PR) from account through like LiveTableResults
### Impact
Any logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation.
### Patches
The vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1.
### Workarounds
The vulnerability can be fixed by applying this [patch](https://github.com/xwiki/xwiki-platform/commit/6ce2d04a5779e07f6d3ed3f37d4761049b4fc3ac#diff-ef7f8b911bb8e584fda22aac5876a329add35ca0d1d32e0fdb62a439b78cfa49).
On versions before 13.4-rc-1, the fix needs to be applied on [XWiki.Like.Code.LiveTableResultPage](https://github.com/xwiki/xwiki-platform/commit/0993a7ab3c102f9ac37ffe361a83a3dc302c0e45#diff-0b51114cb27f7a5c599cf40c59d658eae6dd
OSV
XWiki Platform vulnerable to privilege escalation (PR) from account through like LiveTableResults
osv·2023-06-20
CVE-2023-35152 [CRITICAL] XWiki Platform vulnerable to privilege escalation (PR) from account through like LiveTableResults
XWiki Platform vulnerable to privilege escalation (PR) from account through like LiveTableResults
### Impact
Any logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation.
### Patches
The vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1.
### Workarounds
The vulnerability can be fixed by applying this [patch](https://github.com/xwiki/xwiki-platform/commit/6ce2d04a5779e07f6d3ed3f37d4761049b4fc3ac#diff-ef7f8b911bb8e584fda22aac5876a329add35ca0d1d32e0fdb62a439b78cfa49).
On versions before 13.4-rc-1, the fix needs to be applied on [XWiki.Like.Code.LiveTableResultPage](https://github.com/xwiki/xwiki-platform/commit/0993a7ab3c102f9ac37ffe361a83a3dc302c0e45#diff-0b51114cb27f7a5c599cf40c59d658eae6dd
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/xwiki/xwiki-platform/commit/0993a7ab3c102f9ac37ffe361a83a3dc302c0e45#diff-0b51114cb27f7a5c599cf40c59d658eae6ddc5c0836532c3b35e163f40a4854fR39https://github.com/xwiki/xwiki-platform/commit/6ce2d04a5779e07f6d3ed3f37d4761049b4fc3ac#diff-ef7f8b911bb8e584fda22aac5876a329add35ca0d1d32e0fdb62a439b78cfa49https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rf8j-q39g-7xfmhttps://jira.xwiki.org/browse/XWIKI-19900https://jira.xwiki.org/browse/XWIKI-20611https://github.com/xwiki/xwiki-platform/commit/0993a7ab3c102f9ac37ffe361a83a3dc302c0e45#diff-0b51114cb27f7a5c599cf40c59d658eae6ddc5c0836532c3b35e163f40a4854fR39https://github.com/xwiki/xwiki-platform/commit/6ce2d04a5779e07f6d3ed3f37d4761049b4fc3ac#diff-ef7f8b911bb8e584fda22aac5876a329add35ca0d1d32e0fdb62a439b78cfa49https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rf8j-q39g-7xfmhttps://jira.xwiki.org/browse/XWIKI-19900https://jira.xwiki.org/browse/XWIKI-20611
2023-06-23
Published