CVE-2023-35150

XWiki Platform vulnerable to privilege escalation (PR) from view right via Invitation application

CVSS 9.9 CRITICALEPSS 77.7%CWE-95

In short

A flaw in XWiki's Invitation application allows any user with basic viewing permission to execute code with administrator-level privileges by crafting a malicious URL, potentially taking over the entire system.

Technical detail

CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code) in XWiki's Invitation application permits privilege escalation from view rights to programming rights. An authenticated attacker can craft a specially-formed URL to inject and execute arbitrary code in the context of elevated privileges, achieving remote code execution. Affected versions: 2.40m-2 through 14.4.7, 14.10.3, and versions before 15.0.

Summary generated and translated by AI from the official description.

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.40m-2 and prior to versions 14.4.8, 14.10.4, and 15.0, any user with view rights on any document can execute code with programming rights, leading to remote code execution by crafting an url with a dangerous payload. The problem has been patched in XWiki 15.0, 14.10.4 and 14.4.8.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Affected products

xwiki · xwiki-platform

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/xwiki/xwiki-platform/commit/b65220a4d86b8888791c3b643074ebca5c089a3a https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6mf5-36v9-3h2w https://jira.xwiki.org/browse/XWIKI-20285