CVE-2023-50732
published 2023-12-21CVE-2023-50732: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute a Velocity script without…
PriorityP334medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
EPSS
0.49%
38.3th percentile
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute a Velocity script without script right through the document tree. This has been patched in XWiki 14.10.7 and 15.2RC1.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | >= 15.0 < 15.2 | 15.2 |
| xwiki | xwiki | >= 8.3 < 14.10.7 | 14.10.7 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Velocity execution without script right through tree macro
osv·2023-12-19
CVE-2023-50732 [HIGH] Velocity execution without script right through tree macro
Velocity execution without script right through tree macro
### Impact
It's possible to execute a Velocity script without script right through the document tree.
To reproduce:
* As a user without script right, create a document, e.g., named Nasty Title
* Set the document's title to `$request.requestURI`
* Click "Save & View"
* Reload the page in the browser
The navigation panel displays a document named with the current URL, showing that the Velocity code has been executed even though the user doesn't have script right.
### Patches
This has been patched in XWiki 14.10.7 and 15.2RC1.
### Workarounds
A possible workaround is to:
* modify the page XWiki.DocumentTreeMacros
* search for the code `#set ($discard = $translatedDocument.setTitle($translatedDocument.title))`
* modify it into
GHSA
Velocity execution without script right through tree macro
ghsa·2023-12-19
CVE-2023-50732 [HIGH] CWE-863 Velocity execution without script right through tree macro
Velocity execution without script right through tree macro
### Impact
It's possible to execute a Velocity script without script right through the document tree.
To reproduce:
* As a user without script right, create a document, e.g., named Nasty Title
* Set the document's title to `$request.requestURI`
* Click "Save & View"
* Reload the page in the browser
The navigation panel displays a document named with the current URL, showing that the Velocity code has been executed even though the user doesn't have script right.
### Patches
This has been patched in XWiki 14.10.7 and 15.2RC1.
### Workarounds
A possible workaround is to:
* modify the page XWiki.DocumentTreeMacros
* search for the code `#set ($discard = $translatedDocument.setTitle($translatedDocument.title))`
* modify it into
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/xwiki/xwiki-platform/commit/41d7dca2d30084966ca6a7ee537f39ee8354a7e3https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p5f8-qf24-24cjhttps://jira.xwiki.org/browse/XWIKI-20625https://github.com/xwiki/xwiki-platform/commit/41d7dca2d30084966ca6a7ee537f39ee8354a7e3https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p5f8-qf24-24cjhttps://jira.xwiki.org/browse/XWIKI-20625
2023-12-21
Published