CVE-2023-26477

high-risk
Published 2023-03-02

XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the `newThemeName` request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit `FlamingoThemesCode.WebHomeSheet` and manually perform the changes from the patch fixing the issue.

Do I need to act?

!
40.1% chance of exploitation in next 30 days
EPSS score — higher than 60% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 61a67f5cf241df692779d77367168e0762119091, 4db5104960c1c13a7d2b740800e2b9d0091444d8, 85f3a7c74a321e68aa6b99d0d3cf6fddde70aa7c
10
CVSS 10.0/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Xwiki

References (6)

Patch https://github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04b...
Exploit https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-x2qm-r4wx-8gpg
Exploit https://jira.xwiki.org/browse/XWIKI-19757
Patch https://github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04b...
Exploit https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-x2qm-r4wx-8gpg
Exploit https://jira.xwiki.org/browse/XWIKI-19757
55
/ 100
high-risk
Severity 33/34 · Critical
Exploitability 17/34 · Moderate
Exposure 5/34 · Minimal